Phishing Scams Using Search Ads as a New Attack Vector

Unattended systems are a hackers best friend. That’s why at DigiCert we simply don’t offer cheap SSL Certificates as these certificate are processed by automated systems that never require human verification for security or identity checking.

Scammers recently began exploiting security holes in how Search Ads are displayed on search engine sites. The scam targeted users of the Bitcoin site Blockchain.

Scammers set up a phishing site on a similar domain, then paid for online exposure through search engine ads, even encouraging stating in the ad that “Other ads are all phishing site”. The phishing site then prompted users for a username and password which is never required by the real service.

This type of attack is likely to be extremely effective, as the ad displays the same domain name as the site it is targeting. …Showing the wrong display URL (green text) is forbidden by most ad networks’ policies; however, the fraudsters have evidently managed to bypass these restrictions. Without strict enforcement, the ability to specify the displayed destination leaves such advertising open to fraud.

-Paul Mutton, Security Researcher, Netcraft

Multiple Layers of Security Are Always Required

If users had enabled multi-factor authentication for stronger account security practices, scammers would have been unable to access their sensitive financial details. Multi-factor authentication generally implemented as two-factor authentication and requiring at least one additional form of verification in addition to a password is an effective measure to protect against password theft.

Service providers usually make available a number of additional verification options. DigiCert encourages users to enable at least one extra form of access authentication. In addition to IP address restriction, users can require a client certificate or one-time password as part of the login credential.

Verified and Trusted SSL Certificates

Certificates with no identity verification are frequently exploited by scammers and are often used for questionable purposes.

Encryption is encryption, but Domain-only Validated (DV) certificates, not every provider can offer complete verification of the identity of the certificate holder. The best SSL Certificates are never processed with automated systems, and they always include human review for security and identity verification. This includes providing:

  1. Trust that all SSL providers offer the same level of confidentiality
  2. Assurance of data integrity in communication
  3. Verification of the identity an SSL Certificate owner

With Extended Validation SSL Certificates and high assurance SSL Certificates, secure Internet transactions and communications really can be safe for users as they ensure that the people you connect with online really are who they claim to be.

SSL is more than just a padlock, it’s securing life. SSL Done right and made easy includes, going through an identity verification to give users the benefit of trust that the party on the other end really is who they say they are.

Posted in News, Security, Uncategorized