Why would one phish using a Certificate Authority (CA) as bait?

A very interesting phishing email was sent to me today.  The body from the email was:

Northern Trust Corporation Warning:

Beginning March 17, 2009, the Northern Trust Business Passport Center will use a new Certification Authority (CA) to issue end-user certificates.

If no one in your organization has a digital certificate, you will need to download your primary digital certificate file.

Installation is quick and simple.

Proceed for further information:

http://northerntrust.updateserver.initiated.landing-82z121sin.4565singin.com/signin.htm?/Management/login=an7v77b1qxyrty9

Sincerely, Refugio Johnson. Customer Service Department.

2009 Northern Trust Corporation. All rights reserved.

I'm calling this email interesting, because it's kind of an odd method to get recipients to click on the link, and interact with the resulting site.  After all, how many everyday computer users (Joe plumbers) have a clue what the terms Certificate Authority or end-user certificates refer too?  Heck, considering that I know a fair number of IT professionals that are still coming to grips with these terms.  I'm going to guess that most end-users would react with blank stares upon receiving this email.

Hey bad guys, when dealing with the masses which are more inclined to react positively to emails slanted Nude Britney Spears, or Your Password has Expired, or I have millions to share with you (for a nominal small fee).  This is a really lame phishing scam.

Anyhow, because I'm a security geek, I took a little closer look.  Here are some analysis details:

  • Northern Trust is a valid US Bank.
  • The link in the email is not related to Northern Trust.
  • The link in the email resolves to a site that is branded to look like a Northern Trust site.
  • On the site, there is a file download named NTrustdigicert.exe.
    • This file is not currently recognized as malware by must AV software packages.
    • This file, if executed appears to install a generic Win32 Trojan.
  • The IP Address that the link resolves to is hosted by Comcast Cable address in the US.  Most likely some poor sap that got infected.
  • The DNS name 4565singin.com is owned by BIZCN.COM (XiaMen Bizcn.com, Inc).
  • That is a Chinese company, which appears to be part of the China's anti-phishing alliance.

Honestly, that last bullet was a bit of surprise.  Unless I read something wrong, members of China's anti-phishing alliance are themselves either phishing, or have been hacked.  Just sad.

If you like this, check out some other posts from Tyson:

Or if you want, you can also check out some of Tyson's latest publications:

Lastly, visit the Microsoft Subnet for more news, blogs, and opinions from around the Internet.  Or, sign up for the bi-weekly Microsoft newsletter.  (Click on News/Microsoft News Alert)

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:

Copyright © 2009 IDG Communications, Inc.

IT Salary Survey: The results are in