Categories: SecurityWorkspace

Malaysian Police Website Found To Be Hosting A Phishing Page

A PayPal phishing page has been discovered on the official portal of the Malaysian police force for Johor region. It was used to trick the users into surrendering their login information, despite the website having a valid SSL certificate.

The alarm was raised by Netcraft, an Internet services company from Bath.

Trust issues

The page in question looks like the PayPal login page, recreated in painstaking detail and available over HTTPS. The illusion of safety is created by an SSL certificate which is unconditionally accepted by several major browsers, including Firefox and Safari.

According to Netcraft, phishing pages often “piggyback” on top of compromised legitimate websites, abusing trust of the visitors towards the organisation. For cybercriminals, this cuts down on hosting and certificate costs, and looks a lot less suspicious.

Just last month, the company identified 234 trusted SSL certificates on websites with at least one known phishing page. 67 of them were issued by Symantec, including the one for Johor police department. Comodo issued 42 certificates which were used for phishing, and GoDaddy – 46.

“The SSL certificate for polisjohor.gov.my was issued by GeoTrust (a Symantec brand) back in 2011 and is valid for several more months. If Symantec wished to revoke the certificate to make the site inaccessible over HTTPS it could do so by updating its Certificate Revocation List or by providing on-demand OCSP responses noting its revocation,” explained Raz Popescu from Netcraft.

However, since the certificate doesn’t contain OCSP URL, a feature included in the majority of SSL certificates since 2005 and used to periodically check their status, it cannot be revoked in Firefox. In Safari, the OCSP URL checking is set to ‘off’ by default.

Netcraft notes that even the Extended Validation certificates, which are supposed to be applied to completely secure services, have been used to host phishing pages in the past. In May 2013, it found five such cases. Two of the misused certificates were signed by Symantec, and one each by Comodo, DigiCert, and Go Daddy.

Can you look after your personal data online? Take our quiz!

Max Smolaks

Max 'Beast from the East' Smolaks covers open source, public sector, startups and technology of the future at TechWeekEurope. If you find him looking lost on the streets of London, feed him coffee and sugar.

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

3 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

3 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

3 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

4 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

4 days ago