14 DAY TRIAL // A new mass phishing attack targeting Swiss credit card owners was seen using pages signed with a fake and expired SSL certificate.
According to security researchers from Symantec, the attackers used a large number of domains pointing to the same IP address and server.
The phishing page was signed with a certificate that was issued to a Web hosting company back in 2006, but expired in 2007.
It's not really clear what the phishers tried to achieve with the technique, because trying to open such a page in modern browsers will generate an error.
Users would have to manually add an exception in order load the page and its unlikely they would trust it after the browser displayed the big security warning.
However, one might wonder why there aren't more phishing attacks around that use valid SSL certificates.The answer is probably that it doesn't worth the trouble.
Cybercriminals hardly go the extra mile in their attacks unless they have a reasonable belief their effort will be substantially repaid.
There are mainly two ways to create a SSL-protected phishing page. One is to obviously buy a SSL certificate from a certification authority, but this has the big drawback of being stuck with a particular domain name.
If security researchers manage to get the domain name suspended, the SSL cert cannot be reused. This isn't a very efficient strategy for phishers.
The second method is to compromise a website that already has SSL support and host the phishing page under the same domain.
Phishing attacks using on this technique have been documented in the wild before, but they never really reached mainstream because maintaining a constantly updated pool of hacked SSL websites to use in phishing attacks is no easy task.
Nevertheless, the existence of attacks like these, even based on expired certificates, suggest that phishers are not abandoning the idea and there is always the chance that one will break away from the pack and do things differently.