New phishing attack pretends to create a personal certificate

A new phishing attack, imitating the Bank of America website, tries to gain users trust by claiming to create a personal certificate to be authenticated by. TrendMicro reported on how this was done:

In Internet Explorer, it asks the user to run a Microsoft ActiveX control called “Microsoft Certificate Enrollment Code.”

After running the add-on and upon filling up the required information, it asks the user to download an .EXE file, sophialite.exe.

This is quite clever. From the explicit display of login or confirmation page that is easily verified as phishing, they have turned to the creation of digital certificates, a ploy that can actually convince users to take the bait.

Digital Certificates Not Always a Safety Guarantee - [TrendMicro]

Originally posted on Sun Apr 20, 2008