Uberscammers, (Thu, Jun 15th)

E-mail scams, phishing and social engineering is something that we (security people) became really used to. Even from the penetration testing engagements I do, when we utilize social engineering, it width:550px” />

Of course, none of the users that receive this e-mail would have taken this trip so the phisher in this case is trying to get people to click on the link to dispute the received receipt.

See the domain? uberdisputes.com is not an Uber width:600px” />

After logging in, in order to dispute the receipt, the site would ask for the credit card number, of course, so the victim can be reimbursed. You can probably guess what happened with the credit card after submission

While all this is nothing particularly amazing, what I do find unbelievable is how easy it is for the bad guys to get certificates for such web sites. Although there has been a lot of discussion about how Let width:280px” />

(Small rage: I wonder who was the GENIUS in Google that decided to remove SSL/TLS certificate information from the lock icon in Google Chrome. Yeah, it was a great idea to make users open Developer Tools to see it grrrr).

Such cases are very common and always make me wonder why both CAs and big companies do not do the following:

  • For CAs, they should have a list of critical keywords of big players that are commonly used in attacks. For example, I would not let automatic systems issue a certificate for a domain such as microsoft-software.com (it belongs to Microsoft luckily),
  • For big(ger) companies, I would try to register/buy most domains that are similar to the companys name, and especially those that can be potentially used for phishing.


Bojan
@bojanz
INFIGO IS

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.