Cyber-criminals set up a malicious website that spoofed the original Reddit site and stole login credentials of unsuspecting visitors, yet managed to obtain a valid SSL certificate from a domain registry.
Security experts recently stumbled upon a website that looked every bit like the original Reddit website but was, in fact, a fake website created by cyber-criminals to steal login credentials of Reddit users.
The only noticeable difference between the two sites, which went largely unnoticed, was that instead of using a .com domain, the fake website featured the Colombian '.co' domain. To make the fake site seem more legit to visitors, hackers behind the operation also managed to obtain an SSL certificate from domain registry Comodo.
The fact that cyber-criminals were able to obtain a security certificate from a domain registry in favour of a fake website hasn't surprised Kevin Bocek, chief cyber-security officer at Venafi.
"It's not just sites like Reddit.co – last year over 14,000 certificates were used to set up phishing sites spoofing PayPal alone. This shows the power of the padlock for cyber-criminals, allowing them appear trusted while tricking unsuspecting victims out of their data and damaging brand reputations across the internet," he said.
According to Bocek, while padlocks in websites signify a trusted machine identity and reassure visitors that websites are free of malware, cyber-criminals are obtaining and using such padlocks with increasing regularity to make their websites look authentic to steal credentials of unsuspecting visitors.
"This attack is part of a much larger problem that jeopardises the system of trust used throughout the internet and shows why a new system of trust built on reputation is needed," he added.
Azeem Aleem, director of advanced cyber defence practice EMEA and APJ at RSA, said that the fake website "is well designed, well executed, and it highlights the very real danger of modern spoofing attacks". He added that a remarkably realistic website that even shows a secure SSL certificate makes it very easy for hackers to steal credentials of visitors which they will be able to use to breach the victim's other accounts, and carry out sophisticated phishing attacks on friends, colleagues and family.
To ensure that they do not fall victim to such spoofing attacks, Aleem suggested that people should avoid clicking on links to websites from emails, especially if such links arrive from unknown sources. At the same time, if they want to visit a particular website, they should look it up using an established search engine. Checking website URLs closely will also enable people to spot fake websites that have similar URLs but also feature slight differences that are easy to miss at first glance, he said.
As of now, the fake Reddit clone has been marked 'Dangerous' with a warning for visitors that their details could be accessed by attackers. "Attackers onreddit.co may trick you into doing something dangerous like installing software or revealing your personal information (for example, passwords, phone numbers or credit cards)," the advisory read.