Fake EV certificate was NOT used in Steam trade phishing attacks

Closer inspection reveals that the Steam login page is also a spoof form, and it is not actually being displayed in a new browser window at all — it is being shown in an interactive, movable iframe that behaves like a window, allowing the fraudster to dress the “window” up however he likes. The tell-tale feature to look out for here is that the fake window cannot be maximized or moved beyond the boundaries of the spoof trading website.

At no point does it say “they did not use an EV cert”. To some, the site is obviously not using an EV cert, but to others it will be confusing — perhaps they haven’t had their first coffee yet and just skimming first thing in the morning…

Attractive phishing domains 😎

If you want to know what a good phishing domain looks like, check these out below, and tell me which one is real — I’ve had over 1,000 responses in person, on stage and via Twitter and other social platforms, and only 2 people have answered correctly. Even with that knowledge, most will still get it wrong. Please feel free to email me to find out the real answer, or leave a comment and I’ll tell you if you’re right or wrong. Some of the best cyber security experts in the world have got this wrong, so don’t be shy.

Attractive phishing sites

And if you want to see what a good phishing site looks like here’s one below. I’ve seen better, but these are the only screen shots I have right now.

We need better education

Phishing attacks are so successful in part, because browsers have not taken a consistent approach to visual indicators for Website identity. 99.9999% of consumers look for the browser padlock and immediately jump to the wrong conclusion that they are safe — when in fact, we know the lock just indicates when a site uses encryption.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Paul Walsh

Paul Walsh

MetaCert CEO. Passionate about Cybersecurity, Blockchain, Crypto, Snowboarding & Red Wine. Part of the AOL team that launched AIM. Co-founded 2 W3C Standards.