[LINK] PayPal phishing scam - is this a domain hijack

Craig Sanders cas at taz.net.au
Fri Jan 19 17:15:58 AEDT 2007

On Fri, Jan 19, 2007 at 04:18:03PM +1100, Rick Welykochy wrote:
> I do not think that the https://online.westpac.com.au would work
> too well, since the digital cert. check would fail almost all tests.
> But I have not tested it.
> But given our earlier discussions on how Joe Sixpack ignores warnings
> about certificates, I think there would be enough uninformed users
> out there who could be phished using the hosts file technique even
> for https: connections to ersatz banking web site. Shudder.

actually, it's potentially much worse than that.

if an attacker can change the hosts file then there's no reason why they
can't also install a bogus Certificate Authority (CA) certificate so
that the browser will "validate" ANY certificate you sign with it - i.e.
the attacker can make a fake cert for online.westpac.com.au and sign it
with their own CA.

installing a new CA cert would be more complicated than just changing
the hosts file, but not unfeasibly so...and once someone has done it
once or twice, they could script the entire process.

a security chain is only as strong as the weakest link - and MS Windows
is a very weak link, it undermines everything else.


craig sanders <cas at taz.net.au>           (part time cyborg)

More information about the Link mailing list