Buy from the highest-rated provider   Buy DigiCert Certificate x

Phishing with EV SSL Certificates

Though there still has not been a report of a phisher actually using an EV SSL Certificate on their site, a new phishing email is being sent out saying the following:

Dear Wilmington Trust Banking Member,

Due to the high number of fraud attempts and phishing scams, it has been decided to implement EV SSL Certification on this Internet Banking website.

The use of EV SSL certification works with high security Web browsers to clearly identify whether the site belongs to the company or is another site imitating that company’s site.

It has been introduced to protect our clients against phishing and other online fraudulent activities. Since most Internet related crimes rely on false identity, WTDirect went through a rigorous validation process that meets the Extended Validation guidelines.

Please Update your account to the new EV SSL certification by Clicking here.

Please enter your User ID and Password and then click Go.

(Failure to verify account details correctly will lead to account suspension)

Now that knowledge of EV Certificates is growing, these phishers are trying to get people to click on their link in order to increase the security of the bank account by enabling an EV SSL Certificate. What is the problem with that logic?

First of all, you should never log in to your bank's website using a link sent in email. Always bookmark it or type it in directly!

Second, users will never have to "upgrade their account" to use EV certificates. An EV certificates is installed on the server by the bank and will undoubtedly enable EV for all accounts. Unfortunately, it seems the people who fall for phishing scams are just the kind of people who have heard about EV SSL and think it would be a good thing to enable but don't know enough about it to realize that they don't need to enable it, their bank does.

Hopefully, this is as close as phishers get to using EV SSL Certificates in their attacks.

EV SSL Buzzword Used for Phishing - [K-Squared Ramblings]

Originally posted on Sun Sep 28, 2008