January 02, 2006, 8:56 AM — Information theft scammers are increasingly spoofing SSL (Secure Sockets Layer) certificates in a bid to fool Web users, Netcraft Ltd. reports.
In the last year, the company has uncovered 450 phishing attacks using the bogus https technique.
The spoofing has taken a number of forms, which appear to be becoming highly sophisticated. They vary from exploiting browser flaws, to hacking legitimate sites or even just frames on these sites, as a way of presenting what appears to be a legitimate banking site to visitors.
More sophisticated still, certificates can be purchased for domains that sound similar to banking websites, allowing the criminals to present the SSL lock icon, normally taken as a security guarantee.
Even though such attacks will trigger browser warnings regarding the certificate spoofing, Netcraft believes that many ordinary users will simply ignore these messages and proceed.
"Those results, coupled with the growing number of phishing scams invoking SSL, should motivate certificate authorities and browser developers to redouble efforts to educate Internet users about certificates and SSL security warnings," Netcraft says in its website analysis.
