once more, with feeling.

Peter Gutmann pgut001 at cs.auckland.ac.nz
Fri Sep 19 04:29:11 EDT 2008 

IanG <iang at systemics.com> writes:

>Any evidence of that?  [People buying certs using stolen credit cards]

I don't know if anyone tracks the exact count (apart from the 2005 figure of
(at least) 450 recorded incidents of secure phishing) but every now and then
you get reports of particular ones that stand out, e.g. the Sunbelt discussion
of the Gromozon distributors signing their malware,
http://www.haloscan.com/comments/alexeck/6460991926610320702/ (the cert
purchase was eventually traced back to a victim in Florida)... sorry, I don't
catalogue them all, just watch them drift by every now and then and that one
came to mind.  In fact didn't our esteemed moderator mention running into one
of these via spammed email just a few months back?

In any case with the assistance of services like http://scanlab.name/ for the
ID and any one of the incorporation brokers operating in the US (I
particularly like the appropriately-named
http://www.startanamericancompany.com/, you can do it for far less via US
brokers but then if you're paying with soemone else's credit card cost isn't
really an issue) how long do you think it'd take to create an official US
corporation that qualifies for an EV cert?  I think the main reason we haven't
seen more of this is:

- There's no need for it, usability evaluation tests have shown that EV certs
  have no effect on security so there's no point in going to the trouble
  (cybercrooks are cheapskates).

- It's much easier to use an exploit toolkit like MPACK or whatever to hit an
  EV-certified site for a genuine organisation than it is to bother with your
  own EV cert.  Since an EV cert only says that the CA did a little bit more
  than almost no checking at all of credentials but doesn't tell you anything
  about the site, the easiest way to get an EV cert is to use someone else's
  (AV vendors report peaks of up to 10,000 fresh malware infection sites via
  legit compromised servers a day, which is bad news for the "only enter your
  credit card details on sites you trust" education effort).

Peter.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list