Sections
Categories
Recent ArticlesAny online purchase would need to be performed through a payment gateway, where the buyer enters his/her credit card number and CVV number…
For the entire process of how a transaction works, check this link
How can you get robbed online?
Cybercriminals have different methods of luring innocent buyers into their “web” – It might be a web site offering everything dirt cheap – electronic goods or software or computer parts, whatever you need – may be a rogue online pharmacy offering traditional “prescription-only” medicines without a prescription. They use SEO (search engine optimization) poisoning in order to inject their websites into search results or send e-mails to users with attractive offers. Basically, there’s a crook at every corner waiting to rob you!
Criminals can also dupe or force users into buying the software using Rogue security software or Ransomware programs.
Basically:
- User is pointed to the fraudulent web site – through spam, or search engine poisoning or by force (rogueware or ransomware
- Website gets user’s information (credit card number, CVV etc)
- Information is passed to a partner fraudulent payment gateway
- User gets robbed of his/her money.
What is a secure payment?
If the purchase is made online, the customer's web browser encrypts the information to be sent between the browser and the merchant's web server. This is done via SSL (Secure Socket Layer) encryption, so that no one steals your information by intercepting the traffic between your PC and the web server. Web sites using such a method are distinguished using an “https” prefix, instead of the standard “http” prefix before the web site address or URL. Secure pages, normal have a prominent image which mentions “Secure page” or “SSL Verified”.
These web sites use SSL certificates that help the browser to identify that the connection is secure.
However, with the advent of rogue software and fraudulent gateways, one needs to look deeper before making a payment online. This article is an attempt to explain this in clear detail.
What do we need to look for while transacting online?
Looking to buy something online, is like searching for a pet in a jungle. You don’t know what the jungle has in store for you, or if the pet would kill you or bite you. But fine, you’re already in the jungle, and the best we can do is by preventing you from getting killed or bit!
The very first identification that a secure page would need to have is the HTTPS prefix in the address. When a page mentions that it’s secure, ensure that you have the https prefix is present in the address, and a small lock appears at the bottom of the screen – check the screenshots below.
In Firefox and IE 6, the address bar would have the prefix and the bottom right hand corner would have a symbol of a lock. We hope you’re not using IE 6! In other versions of IE (7 & 8), it would be next to the address bar.
As you see above, the site mentions that that it’s even verified by Visa and MasterCard. These, are simply images. But wait; there are crooks that use secure pages as well. Let’s see a couple of examples.
In the second screenshot, the secure page is launched through the rogue program’s interface – a clever method indeed – users cannot verify anything unless they open the page in a browser.
The most difficult question – how do we avoid such situations?
The only way we can prevent ourselves from getting robbed is by verifying the authenticity of the web page – when we make transactions on a new, unknown page for the first time.
How do we check the authenticity of a web page? As mentioned before, each “secure” page needs to have an SSL certificate. SSL certificates are issued by a number of vendors and are of two different types, fully authenticated, and domain-authenticated certificates.
When a user visits a web site, the web server will send a copy of the site's SSL certificate to the user's web browser. The information in the certificate will always include the site's domain name and in some cases, the company information. This lets the browser know that the web site it's connecting to, is really the correct web site, and not an impostor or phishing site. A user can open and view the details of a SSL certificate and determine the type before proceeding with a transaction on the web site.
Fully-Authenticated SSL Certificates:
A fully-authenticated SSL certificate will contain information about the site's domain name and the legal name of the organization hosting it. It will also contain the geographical location information for the city, state, and country where the organization is registered to do business.
As mentioned earlier, a web site with an SSL certificate will have the icon of a golden padlock on the browser window; and the location would depend on the version of the browser used. When we double click the padlock, the information about the certificate is displayed.
In Firefox, double click the padlock icon in the right hand bottom corner to open the certificate details.
Clicking the “View certificate” will show further details about the certificate. The first tab of the certificate window will contain some basic information, like the name of the web site, the validity of the certificate etc.
The basic details included are – the name of the organization the certificate is issued to, the validity of the certificate and the name of the Certificate authority issuing the certificate, as shown in the screenshot below.
The Details tab contains more specific information. This is where we would be able to determine if the certificate is Fully-authenticated or Domain-authenticated.
What is the difference between a Fully-authenticated and a Domain Authenticated certificate?
A domain-authenticated certificate will not include any information about a company or its location. Such a certificate does not require any documentary evidence and the certificate can be applied for and issued very easily. A fully authenticated certificate will contain information about the site's domain name and the legal name of the organization hosting it. It will also contain the geographical location information for the city, state, and country where the organization is registered to do business.
Screenshots of Domain-Authenticated certificates.
These are taken from Real, Legitimate web pages and not from phishing or fraudulent web pages. Screenshots from fraudulent pages are shown seperately.
Domain-Authenticated website
In Firefox, the information is visible in the general tab.
A domain validated certificate will show the Organizational unit as “Domain control Validated”
Screenshots of Fully Authenticated Certificates:
Note that the complete details of the organization are displayed here. Specific information like the company name and address, which is irrelevant for the purpose of this article, is removed. The intention is to display the difference between domain-authenticated certificates and fully authenticated certificates.
Format for Firefox certificates:
Now, let’s see the SSL certificates used by fraudulent web sites – sites associated with known Rogueware.
The first certificate is a self signed certificate. A self-signed certificate is an identity certificate that is signed by its own creator. That is, the person that created the certificate also signed off on its legitimacy.
Notice that the certificate is a fully authenticated certificate with complete details of company name and location. The browser would give an alert when it encounters such a certificate, that the certificate is not trusted.
The following web pages are from a live fraudulent payment gateway for a rogue product called AntimalwareDoctor. (Information taken from http://www.malwareurl.com) This web site was live at the time of writing of this article.
Note – the website even calculates the currency, based on the location – spooky!
Note, in the above screenshot, the IP address is the same, but domain names are different. Like most fraudulent payment gateways, this web site also uses a Domain-authenticated SSL certificate. Screenshots are shown below. Most fraudulent gateways go down after a specific period of operation or use combinations of different domain names and IP addresses, which makes it more difficult for them to be blacklisted by traditional methods. Sites like MalwareDomainlist.com and Malwareurl.com do a wonderful job in listing malicious pages or fraudulent payment gateways.
The Bottom line:
Better safe than sorry. The only way you can prevent yourself from getting robbed is by exercising utmost care before proceeding with a transaction. This may delay things, but it’s for your own good.
Clicking the “View certificate” will show further details about the certificate. The first tab of the certificate window will contain some basic information, like the name of the web site, the validity of the certificate etc.
The basic details included are – the name of the organization the certificate is issued to, the validity of the certificate and the name of the Certificate authority issuing the certificate, as shown in the screenshot below.
The Details tab contains more specific information. This is where we would be able to determine if the certificate is Fully-authenticated or Domain-authenticated.
What is the difference between a Fully-authenticated and a Domain Authenticated certificate?
A domain-authenticated certificate will not include any information about a company or its location. Such a certificate does not require any documentary evidence and the certificate can be applied for and issued very easily. A fully authenticated certificate will contain information about the site's domain name and the legal name of the organization hosting it. It will also contain the geographical location information for the city, state, and country where the organization is registered to do business.
Screenshots of Domain-Authenticated certificates.
These are taken from Real, Legitimate web pages and not from phishing or fraudulent web pages. Screenshots from fraudulent pages are shown seperately.
Domain-Authenticated website
In Firefox, the information is visible in the general tab.
A domain validated certificate will show the Organizational unit as “Domain control Validated”
Screenshots of Fully Authenticated Certificates:
Note that the complete details of the organization are displayed here. Specific information like the company name and address, which is irrelevant for the purpose of this article, is removed. The intention is to display the difference between domain-authenticated certificates and fully authenticated certificates.
Format for Firefox certificates:
Now, let’s see the SSL certificates used by fraudulent web sites – sites associated with known Rogueware.
The first certificate is a self signed certificate. A self-signed certificate is an identity certificate that is signed by its own creator. That is, the person that created the certificate also signed off on its legitimacy.
Notice that the certificate is a fully authenticated certificate with complete details of company name and location. The browser would give an alert when it encounters such a certificate, that the certificate is not trusted.
The following web pages are from a live fraudulent payment gateway for a rogue product called AntimalwareDoctor. (Information taken from http://www.malwareurl.com) This web site was live at the time of writing of this article.
Note – the website even calculates the currency, based on the location – spooky!
Note, in the above screenshot, the IP address is the same, but domain names are different. Like most fraudulent payment gateways, this web site also uses a Domain-authenticated SSL certificate. Screenshots are shown below. Most fraudulent gateways go down after a specific period of operation or use combinations of different domain names and IP addresses, which makes it more difficult for them to be blacklisted by traditional methods. Sites like MalwareDomainlist.com and Malwareurl.com do a wonderful job in listing malicious pages or fraudulent payment gateways.
The Bottom line:
Better safe than sorry. The only way you can prevent yourself from getting robbed is by exercising utmost care before proceeding with a transaction. This may delay things, but it’s for your own good.
- When you decide to buy something online, be 200% sure that you are purchasing it from a KNOWN and TRUSTED vendor. Verify the identity of the web site before proceeding.
- Have an Anti-phishing solution – there are many products which would provide you a good level of protection, at the least, to an extent of alerting you that the particular site is unknown.
- Limit the amount of money that you can transact online. Most credit card companies have this option.
- Never buy a product that tells you that you have a problem and that you need to purchase it in order to fix the problem.
Recent Comments
Recent Blog Posts
Recent Forum Posts
Rate this article