Andy Bakun wrote:
All the little padlock does is show that the cert used
to connect to bigbank-customerservice.com is assigned
to bigbank-customerservice.com, not that it's actually
associated with Big Bank proper.
NTM that the cost of throw-away SSL certificates is low, especially if
the spammer uses wildcard ones. And there are tons of name combinations
that would look reasonably ok.
This is a social problem though, and I'm not sure it
has a valid technical solution.
It does not. Some of the potential marks will not fall for it, but
remember that con-art is all about art: if the phishing web site looks
and feels like the real one, most of the marks that fall for the scheme
will fall even if they are little discrepancies. Web sites do change
often these days and we got used to this fact; the clever phisher has a
checking account with bigbank anyway just to capture logos and artwork
on the customer website. As long as the little yellow padlock is there,
Photoshop and JavaScript can do it.