A phishing operation created an incredibly convincing fraud by exploiting a weakness in the way credit-card companies mask numbers and by tricking a careless security guarantor into being complicit with their operation
The phishers sent out bulk spam purporting to be from a Utah credit-union, and asking Visa card-holders to sign up for a legit Visa program that protects credit-card use on the Internet. They made this scam more convincing by including the first four digit of the credit-card, e.g. 4512-XXXX-XXXX-XXXX which looks a lot like the standard way of masking card numbers on receipts, usually just showing the last four digits, e.g. XXXX-XXXX-XXXX-3212. The thing is, every credit card issued by a small bank will have the same first four digits and different digits at the end of the number, but at a cursory glance the fact that the email was sent by someone who "knows" your card-number is convincing.
The clincher was the domain of the site, which held a valid "certificate" that bore a cryptographic "signature" attesting to the fact that the site was indeed operated by the credit-union. This means that visitors to the site would get the green padlock in their status-bars, and clicking on it would verify that the site was indeed operated by the credit-union. The certs that make this possible are issued by companies that supposedly review each application to ensure that they come from whom they purport to come, but the company that issued this one, Geotrust, uses largely automated means that rely on misspellings and the like to trigger its anti-fraud alerts.
The scammers were also able to convince Choicepoint (the sleazy credit-reporting agency that leaked millions of customer records and is notorious for its unreliablity and lack of due diligence) that it was the bank, and they, too, issued an assurance that they were legit.
The problem with Internet trust mechanisms is that they're maintained by untrustworthy entities. Verisign broke the DNS system. Choicepoint's records are often works of fiction. Geotrust uses algorithms to evaluate its applications for fraud. All of these entities put profits before their obligations, and all of them fail at accomplishing the trust they exist to provide.
The phishing site, which is still up at the time of this writing, is protected by a Secure Sockets Layer (SSL) encryption certificate issued by a division of the credit reporting bureau Equifax that is now part of a company called Geotrust. SSL is a technology designed to ensure that sensitive information transmitted online cannot be read by a third-party who may have access to the data stream while it is being transmitted. All legitimate banking sites use them, but it's pretty rare to see them on fraudulent sites.
Geotrust and other SSL issuers are supposed to do some basic due diligence to ensure that the entity requesting an SSL certificate is indeed authorized to request it on the company's behalf. In this case, however, it looks like that process fundamentally broke down.
(via /.)
