Scam sites start spoofing secure sites

Online shoppers are being warned to look out for fraudulent websites dressed up as real businesses following the launch of a police investigation into a spoof website scam.

A number of consumers have been duped by unlockedphones-uk.com, which claimed to sell mobile phones at knock down prices. The site, which has now been closed, took consumers' money, but did not deliver the goods.

Shoppers are advised to buy only from secure sites (those with an address that starts https:) using secure socket layer (SSL) encryption. But increasingly, fraudsters are spoofing these addresses.

Unlockedphones-uk.com gave a 'genuine' address and conned people by carrying fake VeriSign and TRUSTe shopping site logos. The site had the golden padlock icon in the bottom right-hand corner of the page and had an internet address that began with 'https:'.

Its security certificate was genuine, but was hijacked from Yahoo and embedded onto the site.

Steve Roylance, technical marketing director of security specialist company Comodo, warned that the problem with SSL is the certificates, logos, icons and the https url can be spoofed.

He also said providers were taking shortcuts. "Less reputable SSL providers do sometimes cut corners issuing certificates to sites with little or no validation of the individual or entity. This practice could allow rogue web sites through the net."

A final twist saw an address and phone number listed on the website to Mphones, an unrelated company, which called in Scotland Yard after being inundated with calls from angry customers.

Detective Sgt Steve Santorelli of Scotland Yard, who is heading the investigation into unlockedphones-uk, warned that people should always be wary of unrealistic prices. "If it looks to good to be true then it is," he said.

How to spot a fake
Online shoppers should always double click on the padlock icon. If nothing shows up it is a fake. If a window appears, read the details and look for issuer and subject. Also, an error message will appear if the security certificate does not belong to the site shown.

There are tools available to help check a site's security. Comodo has released free software called TrustToolbar and VerificationEngine to help consumers verify websites. TrustToolbar authenticates a visited site. If a site is genuine it shows up in the toolbar.

While not every site is covered, most major brands are. By running VerificationEngine you are able to verify that the site you are visiting (or directed to via email) can be trusted.

www.trusttoolbar.com
www.vengine.com