[cabfpub] Obtaining an EV cert for phishing

Kirk Hall Kirk.Hall at entrustdatacard.com
Tue Nov 28 17:03:02 UTC 2017


Thanks for the additional information, James.  In the end, the EV Guidelines did exactly what they were designed to do – they provided a way for the public to find you (as the company owner) if you used your EV certificate and domain to do something wrong.  And again, if someone goes to all this effort and lies in any part of the process, they are subject to potential criminal liability from the UK government – not a trivial matter for the ordinary hacker.  Even if you use a Registered Agent’s address as the registered address for your company, you will leave fingerprints…

In contrast, a DV certificate for your same domain would leave no ability to find you if you use the certificate for evil purposes…  And can be obtained quickly, anonymously, and for free.   That’s a big difference.  And a DV phisher can be very successful using a cert for a domain it owns like login.paypal.com.phishingsite.com – by now, I think there are over 20,000 such DV certs for fake phishing PayPal login pages, all anonymous.

Recent studies show that OV and EV websites are much less likely to be used for phishing than DV sites, and so are much safer for users – see attached pdf.  This study will be updated with additional data soon.  If you are interested in other information about the value of website identity on the internet, there are resources here:
https://casecurity.org/identity/website-identity-documents/

From: Public [mailto:public-bounces at cabforum.org] On Behalf Of James Burton via Public
Sent: Tuesday, November 28, 2017 8:49 AM
To: Gervase Markham <gerv at mozilla.org>; CA/Browser Forum Public Discussion List <public at cabforum.org>
Subject: [EXTERNAL]Re: [cabfpub] Obtaining an EV cert for phishing

This company was incorporated as a limited company by guarantee with exemption from using the word limited at the end. This type of company differs from a normal share company and cannot be incorporated through the official Companies House site. You can learn more here: https://www.rapidformations.co.uk/blog/exemption-from-using-the-word-limited-in-a-company-name/.

To incorporate a limited company guarantee with a limited exemption in the UK, you'll need the following information:

  *   Director's address, nationality, date of birth and three pieces of identifiable information (see attached info.png).
  *   Company address
  *   Special type of articles of association
First, an attacker needs to get hold of someone's address, date of birth, three pieces of identifiable information and the person's nationality. This can be completed through social media profiles, previous phishing attacks and from the so-called "Dark web" for few pounds. Second, an attacker needs a company address which could be the same as the director address or a service address. These service addresses can be bought online for less than £30. Finally, the special type of articles of association can be bought when incorporating the limited company by guarantee from a 3rd party.

When I incorporated "Identity Verified", I never went through any ID checks from the 3rd party. Companies House probably does check the information but I've never been asked to provide a passport photo or etc. The three pieces of identifiable information, DOB, and name are enough to identify the director and the Royal Mail database is enough to identify the addresses of both the director and company.

Overall, the amount of work required to get the company incorporated is massive but it's achievable.

Kirk, just to clarify that I didn't do this experiment to gain fame or pull off some amazing coup (in your own words). I did this experiment because I got an idea and wanted to see if it worked. When writing this article I never thought that this article would become so successful and gain upwards of 2000+ views but it did. If you look at the dates of the incorporation and certificate issue can see that this article wasn't written up straight after the experiment. I wrote this article on the 13th September 2017 which was over a month later. The article took me about an hour or two to complete and checked for spelling and grammar by a fellow mathmo.

Also, you're right that no one now can re-incorporate the company "Identity Verified" in the UK. Eventually, I will dissolve this company in the near future and then it will become available to incorporate again. I'm not sure if this company will be incorporated again because I might have been lucky that day.

Anyway, I wouldn't dismiss this article out of hand as it does contain some interesting points.

James




On Tue, Nov 28, 2017 at 1:54 PM, Gervase Markham via Public <public at cabforum.org<mailto:public at cabforum.org>> wrote:
On 27/11/17 19:52, Jeremy Rowley wrote:
> Basically, Symantec verified the organization using the UK companies
> house, which qualifies as a QGIS. Because it's a QGIS, the data
> source can be used to validate most of the requirements under the EV
> Guidelines, including address and legal existence.  The phone number
> was verified using QIIS and a call to the number, answered, of
> course, by the applicant. The result is James ended up forming a real
> company with fake address information.

As I read his blog post, he formed it with real address information, but
his assertion is that it would have been just as easy to form it with
fake address information, as the address information is not validated by
Companies House in any way.

James: is that correct?

(BTW, as others have said, I'm not convinced that either rejecting
"suspicious" names, or requiring a landline, is the way forward here.)

Gerv
_______________________________________________
Public mailing list
Public at cabforum.org<mailto:Public at cabforum.org>
https://cabforum.org/mailman/listinfo/public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20171128/2d325f06/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Incidence of Phishing Among DV OV and EV Websites (9-13-2017).pdf
Type: application/pdf
Size: 703145 bytes
Desc: Incidence of Phishing Among DV OV and EV Websites (9-13-2017).pdf
URL: <http://lists.cabforum.org/pipermail/public/attachments/20171128/2d325f06/attachment-0003.pdf>


More information about the Public mailing list