[cabfpub] Obtaining an EV cert for phishing

James Burton james at sirburton.com
Tue Nov 28 16:48:46 UTC 2017

This company was incorporated as a limited company by guarantee with
exemption from using the word limited at the end. This type of company
differs from a normal share company and cannot be incorporated through the
official Companies House site. You can learn more here:

To incorporate a limited company guarantee with a limited exemption in the
UK, you'll need the following information:

   - Director's address, nationality, date of birth and three pieces of
   identifiable information (see attached info.png).
   - Company address
   - Special type of articles of association

First, an attacker needs to get hold of someone's address, date of birth,
three pieces of identifiable information and the person's nationality. This
can be completed through social media profiles, previous phishing attacks
and from the so-called "Dark web" for few pounds. Second, an attacker needs
a company address which could be the same as the director address or a
service address. These service addresses can be bought online for less than
£30. Finally, the special type of articles of association can be bought
when incorporating the limited company by guarantee from a 3rd party.

When I incorporated "Identity Verified", I never went through any ID checks
from the 3rd party. Companies House probably does check the information but
I've never been asked to provide a passport photo or etc. The three pieces
of identifiable information, DOB, and name are enough to identify the
director and the Royal Mail database is enough to identify the addresses of
both the director and company.

Overall, the amount of work required to get the company incorporated is
massive but it's achievable.

Kirk, just to clarify that I didn't do this experiment to gain fame or pull
off some amazing coup (in your own words). I did this experiment because I
got an idea and wanted to see if it worked. When writing this article I
never thought that this article would become so successful and gain upwards
of 2000+ views but it did. If you look at the dates of the incorporation
and certificate issue can see that this article wasn't written up straight
after the experiment. I wrote this article on the 13th September 2017 which
was over a month later. The article took me about an hour or two to
complete and checked for spelling and grammar by a fellow mathmo.

Also, you're right that no one now can re-incorporate the company "Identity
Verified" in the UK. Eventually, I will dissolve this company in the near
future and then it will become available to incorporate again. I'm not sure
if this company will be incorporated again because I might have been lucky
that day.

Anyway, I wouldn't dismiss this article out of hand as it does contain some
interesting points.


On Tue, Nov 28, 2017 at 1:54 PM, Gervase Markham via Public <
public at cabforum.org> wrote:

> On 27/11/17 19:52, Jeremy Rowley wrote:
> > Basically, Symantec verified the organization using the UK companies
> > house, which qualifies as a QGIS. Because it's a QGIS, the data
> > source can be used to validate most of the requirements under the EV
> > Guidelines, including address and legal existence.  The phone number
> > was verified using QIIS and a call to the number, answered, of
> > course, by the applicant. The result is James ended up forming a real
> > company with fake address information.
> As I read his blog post, he formed it with real address information, but
> his assertion is that it would have been just as easy to form it with
> fake address information, as the address information is not validated by
> Companies House in any way.
> James: is that correct?
> (BTW, as others have said, I'm not convinced that either rejecting
> "suspicious" names, or requiring a landline, is the way forward here.)
> Gerv
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20171128/d92ab5ef/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: info.PNG
Type: image/png
Size: 50673 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20171128/d92ab5ef/attachment-0003.png>

More information about the Public mailing list