A PayPal phishing page has been discovered on the official portal of the Malaysian police force for Johor region. It was used to trick the users into surrendering their login information, despite the website having a valid SSL certificate.
The alarm was raised by Netcraft, an Internet services company from Bath.
The page in question looks like the PayPal login page, recreated in painstaking detail and available over HTTPS. The illusion of safety is created by an SSL certificate which is unconditionally accepted by several major browsers, including Firefox and Safari.
Just last month, the company identified 234 trusted SSL certificates on websites with at least one known phishing page. 67 of them were issued by Symantec, including the one for Johor police department. Comodo issued 42 certificates which were used for phishing, and GoDaddy – 46.
“The SSL certificate for polisjohor.gov.my was issued by GeoTrust (a Symantec brand) back in 2011 and is valid for several more months. If Symantec wished to revoke the certificate to make the site inaccessible over HTTPS it could do so by updating its Certificate Revocation List or by providing on-demand OCSP responses noting its revocation,” explained Raz Popescu from Netcraft.
However, since the certificate doesn’t contain OCSP URL, a feature included in the majority of SSL certificates since 2005 and used to periodically check their status, it cannot be revoked in Firefox. In Safari, the OCSP URL checking is set to ‘off’ by default.
Netcraft notes that even the Extended Validation certificates, which are supposed to be applied to completely secure services, have been used to host phishing pages in the past. In May 2013, it found five such cases. Two of the misused certificates were signed by Symantec, and one each by Comodo, DigiCert, and Go Daddy.
Can you look after your personal data online? Take our quiz!
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…