Fake EV certificate was NOT used in Steam trade phishing attacks

Today a colleague brought this post by to my attention — it was published by company called Netcraft. The title of the post is “Fake EV certificates used in Steam trade phishing attacks”. I would still have been unhappy with this approach to writing, even if the writer had immediately informed the reader that the opposite was true. But they didn’t. And I’ll explain why this is important…

The post goes on for four paragraphs explaining in detail, how the an attacker used an EV cert to trick people with a phishing scam. They even used a screen shot in between those paragraphs.

It wasn’t until paragraph 6 did they say:

At no point does it say “they did not use an EV cert”. To some, the site is obviously not using an EV cert, but to others it will be confusing — perhaps they haven’t had their first coffee yet and just skimming first thing in the morning…

All of my R&D since 2004 has involved helping to create a safer Web by providing consumers and machines with more context about the destination of URIs before they are opened or shared. And I had to read this post about three times to come to the conclusion that an EV cert wasn’t in fact used in this phishing scam. If it were me writing that post, I would have placed a big red arrow on the screen shot with a caption; “failed attempt at an EV cert impersonation”. I’d give this scam a 2/10.

This is approach to writing is not ok. MetaCert’s API is the only serviced embedded in this product for Fake News — built by the same company that’s behind Adblock Plus. So we have some insight to news reputation and misinformation, and more importantly, how it spreads like wildfire. All research points to the fact that most people “like” and “share” information as soon as they read the title — they don’t take the time to read anything beyond the title before sharing. And very few people get to the bottom of an article. What are the chances of you reaching the bottom of this post? Oddly enought, I’m now asking myself in a weird way, ‘will anyone get this far and read this text?!’. 🥴 Ok, that’s too ‘meta’ even for me. I digress.

The Netcraft post could result in some readers telling their colleagues “hey guess what, another phishing attack used an EV cert — EV certs suck — let’s stick with DV”. And as we know, people add and subtract one or two words, completely changing their meaning… so now we have “oh boy, SSL certs are such a waste of time — don’t bother with them”.

Here’s a better version of that title; “Phishing site tries to trick users with a fake EV cert”. And then they should explain how this is probably one of the worst phishing attempts ever documented by a company who’s expertise is in anti-phishing. It’s one of the worst “scams” I’ve come across because very few people know the difference between DV and EV, and those who do, are certainly not going to fall for this feeble attempt. If you know of a victim who fell for this please correct me.

Attractive phishing domains 😎

If you want to know what a good phishing domain looks like, check these out below, and tell me which one is real — I’ve had over 1,000 responses in person, on stage and via Twitter and other social platforms, and only 2 people have answered correctly. Even with that knowledge, most will still get it wrong. Please feel free to email me to find out the real answer, or leave a comment and I’ll tell you if you’re right or wrong. Some of the best cyber security experts in the world have got this wrong, so don’t be shy.

1 myetherwallêt.com
2 myethẹrwallet.com
3 myethęrwallet.com
4 myethėrwallėt.com
5 myethērwallet.com
6 myethërwallët.com
7 myethërwallet.com
8 myethérwallét.com
9 myethérwallet.com
10 myetherwɑllet.com
11 myetherwället.com
12 myetherwállet.com
13 myetherwałlet.com
14 myetherwałlet.com
15 myetherwallęt.com
16 myetherwalleţ.com
17 myetherwalleţ.com
18 myetherwalłet.com

Attractive phishing sites

And if you want to see what a good phishing site looks like here’s one below. I’ve seen better, but these are the only screen shots I have right now.

We need better education

Phishing attacks are so successful in part, because browsers have not taken a consistent approach to visual indicators for Website identity. 99.9999% of consumers look for the browser padlock and immediately jump to the wrong conclusion that they are safe — when in fact, we know the lock just indicates when a site uses encryption.

I would like cyber security colleagues to take a more proactive approach to writing more responsibly, and not misguide readers for the sake of a fancy title.

Much love and peace to my cyber friends at Netcraft who are doing a great job to help Phight the Phish. ✌️

MetaCert CEO. Passionate about Cybersecurity, Blockchain, Crypto, Snowboarding & Red Wine. Part of the AOL team that launched AIM. Co-founded 2 W3C Standards.