November 24, 2015 By Douglas Bonderud 3 min read

It’s a nightmare scenario: Legitimate websites — complete with Extended Validation SSL certificates — compromised by phishing scams. According to SecurityWeek, this is exactly what’s happened to the World Bank and its Climate-smart Planning Platform (CSPP) webpage. Not only was the site hosting a hidden PayPal login scam, but the site’s EV cert helped convince users the content was legitimate. Now, the World Bank’s certificate has been revoked, and it’s dealing with the aftermath. But how did it get hooked?

Opportunity Knocks?

As noted by SecurityWeek, the CSPP is a World Bank initiative focused on helping companies worldwide develop better climate-planning and investment strategies. And while the Climate-smart Planning website is separate from the official World Bank homepage, it falls under the same EV cert issued by CA Comodo for the World Bank Group.

Obtaining this kind of certificate isn’t easy; companies must go through an extensive verification process. Once an EV is issued, owners get the benefit of a green box around their name in the address bar, giving visitors the assurance that the site and its content are above board. But the EV also offered the perfect opportunity for phishing fraudsters. While World Bank has been tight-lipped, security firm Netcraft, which discovered the hack, detailed its anatomy.

The hosted “PayPal” page asked users to enter their PayPal email address and password, which were submitted to a loginscheck.php script on the server. It was designed to carry out basic validation checks and make sure the data entered by users was actually tied to a PayPal account.

Once scammers had user credentials, they served up a “temporarily unavailable” page and asked potential victims to enter multiple pieces of personal information and verify their identity including name, date of birth, address and phone number, along with credit card details. When they had what they wanted, users were sent to the real PayPal page, unaware they’d just been defrauded.

While World Bank has removed the offending content, the site was subsequently hacked and defaced by a group known as Virus Iraq. Now the site’s EV certificate has been revoked, and most Web browsers prevent access to the CSPP website.

Phishing Spawns Trust Issues

Phishing remains a common tactic for attackers looking to grab victim credentials. So why all the fuss over World Bank? Because the cornerstone of any phishing attack is trust: Users must be made to believe the content they’re seeing is legitimate, and this typically demands significant effort on the part of malicious actors to create official-looking webpages and advertisements.

In the case of CSPP, however, this work was already done thanks to the existing EV certificate under World Bank’s name. Even though attack pages had grammar issues — such as asking users for their “informations” and encouraging victims to “confirm your card for shop with PayPal right away,” according to Netcraft — these red flags were passed over because the site itself was perceived as above reproach.

Consider the recent efforts of cybercriminals to spear-phish companies in the UAE, Bahrain, Turkey and Canada. TechWeekEurope reported that emails are sent from “law enforcement agencies” purporting to contain critical information about militant attacks. If users click on the attached PDF, however, there’s no critical bulletin — just a *.jar file containing remote-access Trojans (RATs). In this case, fear rather than trust motivates users to click on malicious links and unknowingly infect their computers.

Bottom line? Phishing relies on emotional reactions to succeed: a sense of trust, fear or urgency that compels users to provide their information or download attachments. When it comes to the CSPP, trust was engendered by World Bank’s existing EV, convincing users to overlook critical warning signs in the hosted PayPal content.

The World Bank’s official position is that it doesn’t comment on IT security issues, but with attackers now leveraging high-level security certificates to aid their attacks, the “fish” need to start talking. Honest communication among victims and compromised organizations significantly reduces the chance of getting hooked.

More from

Government cybersecurity in 2025: Former Principal Deputy National Cyber Director weighs in

4 min read - As 2024 comes to an end, it’s time to look ahead to the state of public cybersecurity in 2025.The good news is this: Cybersecurity will be an ongoing concern for the government regardless of the party in power, as many current cybersecurity initiatives are bipartisan. But what will government cybersecurity look like in 2025?Will the country be better off than they are today? What are the positive signs that could signal a good year for national cybersecurity? And what threats should…

FYSA – Adobe Cold Fusion Path Traversal Vulnerability

2 min read - Summary Adobe has released a security bulletin (APSB24-107) addressing an arbitrary file system read vulnerability in ColdFusion, a web application server. The vulnerability, identified as CVE-2024-53961, can be exploited to read arbitrary files on the system, potentially leading to unauthorized access and data exposure. Threat Topography Threat Type: Arbitrary File System Read Industries Impacted: Technology, Software, and Web Development Geolocation: Global Environment Impact: Web servers running ColdFusion 2021 and 2023 are vulnerable Overview X-Force Incident Command is monitoring the disclosure…

2024 trends: Were they accurate?

4 min read - The new year always kicks off with a flood of prediction articles; then, 12 months later, our newsfeed is filled with wrap-up articles. But we are often left to wonder if experts got it right in January about how the year would unfold. As we close out 2024, let’s take a moment to go back and see if the crystal balls were working about how the year would play out in cybersecurity.Here are five trends that were often predicted for…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today