November 24, 2015 By Douglas Bonderud 3 min read

It’s a nightmare scenario: Legitimate websites — complete with Extended Validation SSL certificates — compromised by phishing scams. According to SecurityWeek, this is exactly what’s happened to the World Bank and its Climate-smart Planning Platform (CSPP) webpage. Not only was the site hosting a hidden PayPal login scam, but the site’s EV cert helped convince users the content was legitimate. Now, the World Bank’s certificate has been revoked, and it’s dealing with the aftermath. But how did it get hooked?

Opportunity Knocks?

As noted by SecurityWeek, the CSPP is a World Bank initiative focused on helping companies worldwide develop better climate-planning and investment strategies. And while the Climate-smart Planning website is separate from the official World Bank homepage, it falls under the same EV cert issued by CA Comodo for the World Bank Group.

Obtaining this kind of certificate isn’t easy; companies must go through an extensive verification process. Once an EV is issued, owners get the benefit of a green box around their name in the address bar, giving visitors the assurance that the site and its content are above board. But the EV also offered the perfect opportunity for phishing fraudsters. While World Bank has been tight-lipped, security firm Netcraft, which discovered the hack, detailed its anatomy.

The hosted “PayPal” page asked users to enter their PayPal email address and password, which were submitted to a loginscheck.php script on the server. It was designed to carry out basic validation checks and make sure the data entered by users was actually tied to a PayPal account.

Once scammers had user credentials, they served up a “temporarily unavailable” page and asked potential victims to enter multiple pieces of personal information and verify their identity including name, date of birth, address and phone number, along with credit card details. When they had what they wanted, users were sent to the real PayPal page, unaware they’d just been defrauded.

While World Bank has removed the offending content, the site was subsequently hacked and defaced by a group known as Virus Iraq. Now the site’s EV certificate has been revoked, and most Web browsers prevent access to the CSPP website.

Phishing Spawns Trust Issues

Phishing remains a common tactic for attackers looking to grab victim credentials. So why all the fuss over World Bank? Because the cornerstone of any phishing attack is trust: Users must be made to believe the content they’re seeing is legitimate, and this typically demands significant effort on the part of malicious actors to create official-looking webpages and advertisements.

In the case of CSPP, however, this work was already done thanks to the existing EV certificate under World Bank’s name. Even though attack pages had grammar issues — such as asking users for their “informations” and encouraging victims to “confirm your card for shop with PayPal right away,” according to Netcraft — these red flags were passed over because the site itself was perceived as above reproach.

Consider the recent efforts of cybercriminals to spear-phish companies in the UAE, Bahrain, Turkey and Canada. TechWeekEurope reported that emails are sent from “law enforcement agencies” purporting to contain critical information about militant attacks. If users click on the attached PDF, however, there’s no critical bulletin — just a *.jar file containing remote-access Trojans (RATs). In this case, fear rather than trust motivates users to click on malicious links and unknowingly infect their computers.

Bottom line? Phishing relies on emotional reactions to succeed: a sense of trust, fear or urgency that compels users to provide their information or download attachments. When it comes to the CSPP, trust was engendered by World Bank’s existing EV, convincing users to overlook critical warning signs in the hosted PayPal content.

The World Bank’s official position is that it doesn’t comment on IT security issues, but with attackers now leveraging high-level security certificates to aid their attacks, the “fish” need to start talking. Honest communication among victims and compromised organizations significantly reduces the chance of getting hooked.

More from

6 Principles of Operational Technology Cybersecurity released by joint NSA initiative

4 min read - Today’s critical infrastructure organizations rely on operational technology (OT) to help control and manage the systems and processes required to keep critical services to the public running. However, due to the highly integrated nature of OT deployments, cybersecurity has become a primary concern.On October 2, 2024, the NSA (National Security Agency) released a new CSI titled “Principles of Operational Technology Cybersecurity.” This new guide was created in collaboration with the Australian Signals Directorate’s Australian Cyber Security Centre (ASD SCSC) to…

Strela Stealer: Today’s invoice is tomorrow’s phish

12 min read - As of November 2024, IBM X-Force has tracked ongoing Hive0145 campaigns delivering Strela Stealer malware to victims throughout Europe - primarily Spain, Germany and Ukraine. The phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials. Strela Stealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird. During the past 18 months, the group tested various techniques to enhance its operation's effectiveness. Hive0145 is likely to be…

SpyAgent malware targets crypto wallets by stealing screenshots

4 min read - A new Android malware strain known as SpyAgent is making the rounds — and stealing screenshots as it goes. Using optical character recognition (OCR) technology, the malware is after cryptocurrency recovery phrases often stored in screenshots on user devices.Here's how to dodge the bullet.Attackers shooting their (screen) shotAttacks start — as always — with phishing efforts. Users receive text messages prompting them to download seemingly legitimate apps. If they take the bait and install the app, the SpyAgent malware gets…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today