[cabfpub] Obtaining an EV cert for phishing

James Burton james at sirburton.com
Tue Nov 28 17:31:29 UTC 2017 

"Even if you use a Registered Agent’s address as the registered address for
your company, you will leave fingerprints…"

Actually, you don't need the information contained in the letters from
Companies House. All of the information was sent to me by email from the
3rd party register including the authentication code. If you got one of
these service addresses as the company address then all you need is to just
send the letter to someone else's address somewhere which takes around two
weeks to be delivered. Dun and Bradstreet update their database of new
incorporation's every one or two days. Once you get the D&B ID by email
after a day or so then you can send in a request to update the database
with the phone number this takes around a day or so. Dun and Bradstreet
have never verified the phone number given and just added it to the
database. Overall the process from start to finish could take a week if
started on Monday. There is only a small window of opportunity in this
scheme to get the EV SSL but once the EV SSL is issued then it can be used
at any time until expire date.

I did read the research some time ago and I found it was really
interesting. Oddly enough the dates of the research and the article coincide
with each other.

On Tue, Nov 28, 2017 at 5:03 PM, Kirk Hall <Kirk.Hall at entrustdatacard.com>
wrote:

> Thanks for the additional information, James.  In the end, the EV
> Guidelines did exactly what they were designed to do – they provided a way
> for the public to find you (as the company owner) if you used your EV
> certificate and domain to do something wrong.  And again, if someone goes
> to all this effort and lies in any part of the process, they are subject to
> potential criminal liability from the UK government – not a trivial matter
> for the ordinary hacker.  Even if you use a Registered Agent’s address as
> the registered address for your company, you will leave fingerprints…
>
>
>
> In contrast, a DV certificate for your same domain would leave no ability
> to find you if you use the certificate for evil purposes…  And can be
> obtained quickly, anonymously, and for free.   That’s a big difference.
> And a DV phisher can be very successful using a cert for a domain it owns
> like *login.paypal.com.phishingsite.com
> <http://login.paypal.com.phishingsite.com>* – by now, I think there are
> over 20,000 such DV certs for fake phishing PayPal login pages, all
> anonymous.
>
>
>
> Recent studies show that OV and EV websites are much less likely to be
> used for phishing than DV sites, and so are much safer for users – see
> attached pdf.  This study will be updated with additional data soon.  If
> you are interested in other information about the value of website identity
> on the internet, there are resources here:
>
> https://casecurity.org/identity/website-identity-documents/
>
>
>
> *From:* Public [mailto:public-bounces at cabforum.org] *On Behalf Of *James
> Burton via Public
> *Sent:* Tuesday, November 28, 2017 8:49 AM
> *To:* Gervase Markham <gerv at mozilla.org>; CA/Browser Forum Public
> Discussion List <public at cabforum.org>
> *Subject:* [EXTERNAL]Re: [cabfpub] Obtaining an EV cert for phishing
>
>
>
> This company was incorporated as a limited company by guarantee with
> exemption from using the word limited at the end. This type of company
> differs from a normal share company and cannot be incorporated through the
> official Companies House site. You can learn more here:
> https://www.rapidformations.co.uk/blog/exemption-from-
> using-the-word-limited-in-a-company-name/.
>
>
>
> To incorporate a limited company guarantee with a limited exemption in the
> UK, you'll need the following information:
>
>    - Director's address, nationality, date of birth and three pieces of
>    identifiable information (see attached info.png).
>    - Company address
>    - Special type of articles of association
>
> First, an attacker needs to get hold of someone's address, date of birth,
> three pieces of identifiable information and the person's nationality. This
> can be completed through social media profiles, previous phishing attacks
> and from the so-called "Dark web" for few pounds. Second, an attacker needs
> a company address which could be the same as the director address or a
> service address. These service addresses can be bought online for less than
> £30. Finally, the special type of articles of association can be bought
> when incorporating the limited company by guarantee from a 3rd party.
>
>
>
> When I incorporated "Identity Verified", I never went through any ID
> checks from the 3rd party. Companies House probably does check the
> information but I've never been asked to provide a passport photo or etc.
> The three pieces of identifiable information, DOB, and name are enough to
> identify the director and the Royal Mail database is enough to identify the
> addresses of both the director and company.
>
>
>
> Overall, the amount of work required to get the company incorporated is
> massive but it's achievable.
>
>
>
> Kirk, just to clarify that I didn't do this experiment to gain fame or
> pull off some amazing coup (in your own words). I did this experiment
> because I got an idea and wanted to see if it worked. When writing this
> article I never thought that this article would become so successful and
> gain upwards of 2000+ views but it did. If you look at the dates of the
> incorporation and certificate issue can see that this article wasn't
> written up straight after the experiment. I wrote this article on the 13th
> September 2017 which was over a month later. The article took me about an
> hour or two to complete and checked for spelling and grammar by a fellow
> mathmo.
>
>
>
> Also, you're right that no one now can re-incorporate the company
> "Identity Verified" in the UK. Eventually, I will dissolve this company in
> the near future and then it will become available to incorporate again. I'm
> not sure if this company will be incorporated again because I might have
> been lucky that day.
>
>
>
> Anyway, I wouldn't dismiss this article out of hand as it does contain
> some interesting points.
>
>
>
> James
>
>
>
>
>
>
>
>
>
> On Tue, Nov 28, 2017 at 1:54 PM, Gervase Markham via Public <
> public at cabforum.org> wrote:
>
> On 27/11/17 19:52, Jeremy Rowley wrote:
> > Basically, Symantec verified the organization using the UK companies
> > house, which qualifies as a QGIS. Because it's a QGIS, the data
> > source can be used to validate most of the requirements under the EV
> > Guidelines, including address and legal existence.  The phone number
> > was verified using QIIS and a call to the number, answered, of
> > course, by the applicant. The result is James ended up forming a real
> > company with fake address information.
>
> As I read his blog post, he formed it with real address information, but
> his assertion is that it would have been just as easy to form it with
> fake address information, as the address information is not validated by
> Companies House in any way.
>
> James: is that correct?
>
> (BTW, as others have said, I'm not convinced that either rejecting
> "suspicious" names, or requiring a landline, is the way forward here.)
>
>
> Gerv
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20171128/93f2fe9c/attachment-0003.html>

More information about the Public mailing list