Phishing or Legitimate?


Today I received the email shown below, which looked like a phishing attempt to me, since I don’t have an account at Moneybookers.com and the mail was sent typically to “undisclosed-recipients“. Hovering over the link in the mail revealed the URL https:// my.secure-ssl.net/www.moneybookers.com/app/directory.php?cmd=login (I deliberately broke the link).

Email from Moneybookers.com

Would I have opted to use Firefox 3 with the default settings, I would have seen this when visiting the link in the mail:

Firefox 3 Default SSL

Luckily I change the default settings which made me aware of the obvious. To change the settings type into the address bar about:config,  enter ssl_domain into the search filter and modify the settings of browser.identity.ssl_domain_display to 1.

 Firefox 3 SS Extended Mode

And for comparison here is the real site:

 Visiting the real thing…

Both sites have a certificate issued by Thawte, apparently with the organization details validated:

Thawte validated this site

The WHOIS records revealed, that the domain name secure-ssl.net was created in 1999 and expires in 2015. Therefor the site isn’t some newly registered site purchased for phishing. The certificate is indeed legitimate. The sites look the same. As a matter of fact, the phishing site uses all images from the real one (bad security, isn’t it?).

The Faked Site  The Real Thing

The extended UI feature helped me get suspicious about this site, the email source confirmed that this is a well played phishing attempt. Moneybookers Ltd. is registered in London, UK and wouldn’t use dial-up provider in France to send legitimate mail messages. Certainly not to me as I don’t have an account with them. So what happened here? I’m not entirely sure, but the most logical explanation would be, that somebody compromised the server of secure-ssl.net. The site belongs to Technologies Iweb Inc. in Montreal, Canada according to the whois records. Does anybody else know something about this scam?

In any case, if you want to stay on the safe side and get alerted even under such circumstances, change the current default settings browser.identity.ssl_domain_display to 1 if you use Firefox 3. Better safe than sorry!

Information and Links

Join the fray by commenting, tracking what others have to say, or linking to it from your blog.


Other Posts
Chaos of Randomness
My Own Street

Write a Comment

Take a moment to comment and tell us what you think. Some basic HTML is allowed for formatting.

You must be logged in to post a comment. Click here to login.

Reader Comments

Many 20$ webhosting companies offer one and the same SSL domain for all their customers. That’s because each SSL server requires an IP address (or you have to list all domains in one cert, which is not practical) and they don’t give one IP address per hosting customer.

Typically, these domain names of webhosters for their customers look very generic. This seems to be one of them. If you go to http://secure-ssl.net , you get redirected to http://iweb.com , which says is a web hoster.

The scammer probably registered with a stolen credit card.

It could be a spammer with a stolen credit card like the previous commenter wrote. Sometimes it appears that certain hosting companies turn a blind eye, however.

I’ve gotten a lot of spam emails originating from iWeb’s IP space. Unlike many even cheap hosts, they don’t seem interested in shutting down spammers, even after receiving abuse tickets.

This of course does highlight (as I am guessing is probably at least part of the point) the fact that SSL by itself doesn’t prevent phishing. Unless you know which domain is verified, as well as which domain you trust even when verified, anyone can still be victimized.

Also, seems to be the thing these days for spammers to say they are in the webhosting business. Maybe that makes their attempts at allocating large blocks of IPs look superficially more legit.

Ultimately, training users to think must be a component in any anti-phishing measure.