It’s a nightmare scenario: Legitimate websites — complete with Extended Validation SSL certificates — compromised by phishing scams. According to SecurityWeek, this is exactly what’s happened to the World Bank and its Climate-smart Planning Platform (CSPP) webpage. Not only was the site hosting a hidden PayPal login scam, but the site’s EV cert helped convince users the content was legitimate. Now, the World Bank’s certificate has been revoked, and it’s dealing with the aftermath. But how did it get hooked?
As noted by SecurityWeek, the CSPP is a World Bank initiative focused on helping companies worldwide develop better climate-planning and investment strategies. And while the Climate-smart Planning website is separate from the official World Bank homepage, it falls under the same EV cert issued by CA Comodo for the World Bank Group.
Obtaining this kind of certificate isn’t easy; companies must go through an extensive verification process. Once an EV is issued, owners get the benefit of a green box around their name in the address bar, giving visitors the assurance that the site and its content are above board. But the EV also offered the perfect opportunity for phishing fraudsters. While World Bank has been tight-lipped, security firm Netcraft, which discovered the hack, detailed its anatomy.
The hosted “PayPal” page asked users to enter their PayPal email address and password, which were submitted to a loginscheck.php script on the server. It was designed to carry out basic validation checks and make sure the data entered by users was actually tied to a PayPal account.
Once scammers had user credentials, they served up a “temporarily unavailable” page and asked potential victims to enter multiple pieces of personal information and verify their identity including name, date of birth, address and phone number, along with credit card details. When they had what they wanted, users were sent to the real PayPal page, unaware they’d just been defrauded.
While World Bank has removed the offending content, the site was subsequently hacked and defaced by a group known as Virus Iraq. Now the site’s EV certificate has been revoked, and most Web browsers prevent access to the CSPP website.
Phishing Spawns Trust Issues
Phishing remains a common tactic for attackers looking to grab victim credentials. So why all the fuss over World Bank? Because the cornerstone of any phishing attack is trust: Users must be made to believe the content they’re seeing is legitimate, and this typically demands significant effort on the part of malicious actors to create official-looking webpages and advertisements.
In the case of CSPP, however, this work was already done thanks to the existing EV certificate under World Bank’s name. Even though attack pages had grammar issues — such as asking users for their “informations” and encouraging victims to “confirm your card for shop with PayPal right away,” according to Netcraft — these red flags were passed over because the site itself was perceived as above reproach.
Consider the recent efforts of cybercriminals to spear-phish companies in the UAE, Bahrain, Turkey and Canada. TechWeekEurope reported that emails are sent from “law enforcement agencies” purporting to contain critical information about militant attacks. If users click on the attached PDF, however, there’s no critical bulletin — just a *.jar file containing remote-access Trojans (RATs). In this case, fear rather than trust motivates users to click on malicious links and unknowingly infect their computers.
Bottom line? Phishing relies on emotional reactions to succeed: a sense of trust, fear or urgency that compels users to provide their information or download attachments. When it comes to the CSPP, trust was engendered by World Bank’s existing EV, convincing users to overlook critical warning signs in the hosted PayPal content.
The World Bank’s official position is that it doesn’t comment on IT security issues, but with attackers now leveraging high-level security certificates to aid their attacks, the “fish” need to start talking. Honest communication among victims and compromised organizations significantly reduces the chance of getting hooked.