A malicious Reddit spoof site (Reddit.co) is convincing users to hand over their usernames and passwords. What’s particularly dangerous about this site is that it actually shows up as secure in your browser (image attached), as it has a valid SSL Certificate. Security experts at Venafi and RSA Security commented below.
Azeem Aleem, Director, Advanced Cyber Defence Practice EMEA and APJ at RSA Security:
“Make no mistake, this is an effective scam. They’ve put in the time and effort to create a remarkably realistic website that even shows a secure SSL certificate in your browser window. It is well designed, well executed, and it highlights the very real danger of modern spoofing attacks. While it’s troubling to see these complex scams harvesting personal details, what’s more worrying is what this stolen data will be used for, as stolen credentials are used to breach the victim’s other accounts, and carry out sophisticated phishing attacks on friends, colleagues and family.
“Time is of the essence for Reddit here, and the company needs to warn its users about the site. The company isn’t alone, however, as it is often very hard for an organisation to know if their site has been spoofed until someone has already become a victim. This is why the public need to have greater awareness of spoofing and take care to protect themselves online. Our advice would be: firstly, avoid clicking on links to websites from emails, if it is from an unknown source. Instead, look up the website using an established search engine. Secondly, always be sure to check the URL of a site that you are visiting to make sure that the it is correct – often with spoofed sites there will be a few letters in the wrong place that will give clues that it is not official, as in this spoofed Reddit site, the devil is in the detail. Thirdly, check the address bar to ensure you are visiting a secure site and there are no warnings – although as we can see here, there are ways to fake this. Lastly, if you have any doubts, then see if there is a phone number where you can call and get validation before sharing any personal information.”
Kevin Bocek, Chief Cyber Security Officer at Venafi:
“This shows that cybercriminals are now stealing personal details by taking advantage of the one security measure every Internet user has been trained to trust: the padlock in web browsers. These padlocks are supposed to signify a trusted machine identity – a digital certificate that means the machine is who it says it is. But now cybercriminals can obtain get certificates to look authentic for virtually nothing and often instantly available. This is a high risk, high impact threat that security teams cannot ignore anymore.
It’s not just sites like Reddit.co – last year over 14,000 certificates were used to set up phishing sites spoofing PayPal alone. This shows the power of the padlock for cybercriminals, allowing them appear trusted while tricking unsuspecting victims out of their data and damaging brand reputations across the internet. This attack is part of a much larger problem that jeopardizes the system of trust used throughout the internet and shows why a new system of trust built on reputation is needed.
“The answer is certificate reputation scoring to help people know what can and can’t be trusted. This site previously hosted porn, it’s not a real Reddit owned domain, and the certificate was issued by Comodo whereas the real Reddit uses certificates produced by DigiCert. These are all things a certificate reputation score would have flagged for remediation by Reddit a long time ago. Free certificates provide little validation, yet users see them as sacred. If people cannot trust that the sites they visit are genuine, our digital world could start to crumble. Action is needed now by security teams of enterprises since no one else will protect you from the bad guys.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.