Fake EV certificate was NOT used in Steam trade phishing attacks
Today a colleague brought this post by to my attention — it was published by company called Netcraft. The title of the post is “Fake EV certificates used in Steam trade phishing attacks”. I would still have been unhappy with this approach to writing, even if the writer had immediately informed the reader that the opposite was true. But they didn’t. And I’ll explain why this is important…
The post goes on for four paragraphs explaining in detail, how the an attacker used an EV cert to trick people with a phishing scam. They even used a screen shot in between those paragraphs.
It wasn’t until paragraph 6 did they say:
Closer inspection reveals that the Steam login page is also a spoof form, and it is not actually being displayed in a new browser window at all — it is being shown in an interactive, movable iframe that behaves like a window, allowing the fraudster to dress the “window” up however he likes. The tell-tale feature to look out for here is that the fake window cannot be maximized or moved beyond the boundaries of the spoof trading website.
At no point does it say “they did not use an EV cert”. To some, the site is obviously not using an EV cert, but to others it will be confusing — perhaps they haven’t had their first coffee yet and just skimming first thing in the morning…
All of my R&D since 2004 has involved helping to create a safer Web by providing consumers and machines with more context about the destination of URIs before they are opened or shared. And I had to read this post about three times to come to the conclusion that an EV cert wasn’t in fact used in this phishing scam. If it were me writing that post, I would have placed a big red arrow on the screen shot with a caption; “failed attempt at an EV cert impersonation”. I’d give this scam a 2/10.
This is approach to writing is not ok. MetaCert’s API is the only serviced embedded in this product for Fake News — built by the same company that’s behind Adblock Plus. So we have some insight to news reputation and misinformation, and more importantly, how it spreads like wildfire. All research points to the fact that most people “like” and “share” information as soon as they read the title — they don’t take the time to read anything beyond the title before sharing. And very few people get to the bottom of an article. What are the chances of you reaching the bottom of this post? Oddly enought, I’m now asking myself in a weird way, ‘will anyone get this far and read this text?!’. 🥴 Ok, that’s too ‘meta’ even for me. I digress.
The Netcraft post could result in some readers telling their colleagues “hey guess what, another phishing attack used an EV cert — EV certs suck — let’s stick with DV”. And as we know, people add and subtract one or two words, completely changing their meaning… so now we have “oh boy, SSL certs are such a waste of time — don’t bother with them”.
Here’s a better version of that title; “Phishing site tries to trick users with a fake EV cert”. And then they should explain how this is probably one of the worst phishing attempts ever documented by a company who’s expertise is in anti-phishing. It’s one of the worst “scams” I’ve come across because very few people know the difference between DV and EV, and those who do, are certainly not going to fall for this feeble attempt. If you know of a victim who fell for this please correct me.
Attractive phishing domains 😎
If you want to know what a good phishing domain looks like, check these out below, and tell me which one is real — I’ve had over 1,000 responses in person, on stage and via Twitter and other social platforms, and only 2 people have answered correctly. Even with that knowledge, most will still get it wrong. Please feel free to email me to find out the real answer, or leave a comment and I’ll tell you if you’re right or wrong. Some of the best cyber security experts in the world have got this wrong, so don’t be shy.
Attractive phishing sites
And if you want to see what a good phishing site looks like here’s one below. I’ve seen better, but these are the only screen shots I have right now.
We need better education
Phishing attacks are so successful in part, because browsers have not taken a consistent approach to visual indicators for Website identity. 99.9999% of consumers look for the browser padlock and immediately jump to the wrong conclusion that they are safe — when in fact, we know the lock just indicates when a site uses encryption.
I would like cyber security colleagues to take a more proactive approach to writing more responsibly, and not misguide readers for the sake of a fancy title.
Much love and peace to my cyber friends at Netcraft who are doing a great job to help Phight the Phish. ✌️