SSL-Based Phishing

As the holiday season gets closer, expect the number of phishing emails to go up. Recently, for the first time in my experience, I got one that used a secure socket layer server (SSL) (see email below). You know, the kind of website that starts with https://.

The intent of SSL is to create an encrypted tunnel between your PC and the web server. In addition, and here is the important part, it includes a digital certificate. The certificate is supposed to be examined by you to determine whether the server name in the certificate matches the URL you just typed in. If there is a difference, there is a probability that someone is trying to masquerade as someone else.

So, in theory, if you see a secure server address, you are supposed to feel safe. But. The theory doesn’t always hold true. In practice, if the URL doesn’t match the certificate, your browser should warn you of a discrepancy. The problem is, most people ignore the warnings because so many webmasters forget to renew their certificates so it is common to get warnings.

What’s even worse, cross-site scripting, frame-injection attacks, and browser bugs can allow phishers to run their own code as if it were from your own bank’s website (thus using their SSL connection and certificate). In addition, they could have a domain that sounds like your bank’s when it isn’t. According to the article, in 2005 over 450 SSL attacks were documented. I have no idea what it is in 2007 or what it will be in 2008 but I would guess it is/will be higher.

With these types of attacks, it really comes down to remembering that banks/credit card companies don’t send security emails to customers telling them to log in to a site and give them personal financial information/logins/passwords that they already have.

As they used to say on TV, “Let’s be careful out there.”


Received: (qmail 43643 invoked from network); 14 Nov 2007 18:52:45 -0000
Received: from localhost (localhost [])
X-Spam-Status: No, hits=2.1 required=4.0
autolearn=no version=3.002000
X-Spam-Flag: NO
X-Spam-Level: **
X-Spam-Filtered: d96416c869df3727024bf32c904c76be

Received: from 6b82e1939694411 (


Received: from [] by
Wed, 14 Nov 2007 22:03:25 +0300
Date: Wed, 14 Nov 2007 22:03:25 +0300
From: “Pacific Capital Bancorp”
X-Mailer: The Bat! (v2.00.6) Educational


X-Priority: 3 (Normal)
Message-ID: <>
Subject: Client Support Services – Pacific Capital Bancorp
MIME-Version: 1.0
Content-Type: text/html;
Content-Transfer-Encoding: 7bit

Pacific Capital Bancorp

Dear AllTime Treasury user,

As part of our security measures, we regularly screen activity in the AllTime Treasury system. We recently contacted
you after noticing an issue on your account. We requested information from you for the following reason: Our system detected unauthorized use of a bank account linked to ebanking accounts.

Attention for all AllTime Treasury users!

This is a reminder to log in to AllTime Treasury as soon as possible.

Be sure to log in securely by hyperlink below. Once you log in, you will be provided with new account design and steps to
confirm your account access. We appreciate your understanding as we work to ensure account safety.

Login by clicking here:

We thank you for your prompt attention to this matter. Please understand that this is a security measure intended to
help protect you and your account. We apologize for any inconvenience.

Pacific Capital Bancorp is the parent company of Pacific Capital Bank, N.A., a nationally chartered bank that operates
50 branches under the highly recognized brand names of Santa Barbara Bank & Trust, First National Bank of Central California, South Valley National Bank, San Benito Bank, Pacific Capital Bank, and, First Bank of San Luis Obispo.


Pacific Capital Bancorp Support Department

Copyright Š 2006. Pacific Capital Bank. N.A. All Rights Reserved.

This information is not an official record of your accounts and transactions at Pacific Capital Bank, N.A. or any other
financial institution.

Pacific Capital Bancorp


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s