ÃÛÌÒTV

News 02-26-2014

Phishing Scams Using Search Ads as a New Attack Vector

ÃÛÌÒTV

Unattended systems are a hackers best friend. That's why at ÃÛÌÒTV we simply don't offer cheap SSL Certificates as these certificate areÌýprocessed byÌýautomated systems that never require human verificationÌýfor security or identity checking.

Scammers recently began exploiting security holes in how Search Ads are displayed on search engine sites. The scam targeted users of the Bitcoin site Blockchain.

ScammersÌýset up a phishing site on a similarÌýdomain, then paidÌýfor online exposure through search engine ads, even encouragingÌýstating in the ad thatÌý"Other ads are all phishing site". The phishing site then promptedÌýusers for a username and password which is never required by the real service.

This type of attack is likely to be extremely effective, as the ad displays the same domain name as the site it is targeting. ...Showing the wrongÌýdisplay URLÌý(green text) is forbidden by most ad networks'Ìýpolicies; however, the fraudsters have evidently managed to bypass these restrictions. Without strict enforcement, the ability to specify the displayed destination leaves such advertising open to fraud.

-Paul Mutton, Security Researcher, Netcraft

Multiple Layers of Security Are Always Required

If users had enabled multi-factor authentication for stronger account security practices, scammers would have been unable to access their sensitive financial details. Multi-factor authentication generally implemented as two-factor authentication and requiring at least one additional form of verification in addition to a password is an effective measure to protect against password theft.

Service providers usually make available a number of additional verification options. ÃÛÌÒTV encourages users to enable at least one extra form of access authentication. In addition to IP address restriction, users can require a client certificate or one-time password as part of the login credential.

Verified and Trusted SSL Certificates

Certificates with no identity verificationÌýare frequently exploited byÌýscammers and are often used forÌýquestionable purposes.

Encryption is encryption, but Domain-only Validated (DV) certificates, not every provider can offer complete verification of the identity of the certificate holder.ÌýThe bestÌýSSL Certificates are never processed with automated systems, and they always include human review for security and identity verification. This includes providing:

  1. TrustÌýthat all SSLÌýproviders offer the same level of confidentiality
  2. AssuranceÌýof data integrity in communication
  3. VerificationÌýofÌýthe identityÌýanÌýSSL Certificate owner

With Extended Validation SSL Certificates and high assurance SSL Certificates, secureÌýInternet transactions and communications really can be safe for users as they ensure that the people you connect with online really are who they claim to be.

SSL is more than just a padlock, it’s securing life. SSL Done right and made easy includes, going through an identityÌýverificationÌýto give users the benefit of trust that the party on the other end really is who they say they are.

UP NEXT
PKI

3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

5 Min

Featured Stories

07-03-2024

What is a CA’s Role in delivering digital trust?

11-27-2024

6 actionable ways to secure the IIoT at every stage

Tracking the progress toward post-quantum cryptography

The state of PQC since the publication of FIPS 203, 204 and 205