Security threats Toolkit

Fraudulent e-commerce site proves hard to close

Tags:
Verisign,
Police

Rupert Goodwins ZDNet.co.uk

Published: 01 Dec 2003 17:50 GMT

A Web site that purportedly offers cheap mobile phones is still online more than six weeks after efforts began to close it down for what is believed to be fraudulent activity.

The site, unlockedPhones-UK.com, has been discovered to be displaying fake security certificates from security companies VeriSign and TRUSTe, and is using the address of an unconnected legitimate UK mobile phone company called mPhone Ltd. UnlockedPhones-uk.com is not registered as a UK company.

MPhone said it had been aware of the fake Web site for a month and a half, but despite reporting it to the Metropolitan Police -- who said that the FBI would be informed -- and Yahoo, the company hosting the site on its $8.95 a month Premium Geocities services, it had been unable to either get the site taken down or to get in contact with the registered owner. "All the authorities are trying to track them down, and we are working very hard on it," said a source within mPhone. "We're getting so many phone calls it's not funny."

The fake site uses a succession of tricks to disguise its lack of authenticity. Clicking on the VeriSign seal brings up an apparently valid certificate registered to the non-existent company and produced by VeriSign's own computers. However, the certificate is generated by the fraudulent site itself, and the credit card checkout system is hosted on a different site with a valid certificate. Also, the Web site asks for credit card orders to be accompanied by a fax of both sides of the card.

Emails to the contact address went unanswered on Monday, and the Californian address and phone number of the registered domain administrator R. B. Nail apparently are not valid.

"They've basically ripped off our site seal and hosted it on their Web site. In normal circumstances, if they were hosting the checkout on the same site, they'd get a security error, but they're hosting it on another," said John Kerr of VeriSign UK. "Users should double-click on the yellow padlock icon on the bottom right of their browser screen when they're in the checkout, and make sure the name displayed there matches the company you're buying from."

Public speculation over the authenticity of the site began in an online forum when some potential buyers questioned whether the prices were too good to be true. Suspicion was heightened when it was discovered that the gold VeriSign seal, which e-commerce sites display to assure buyers that they have been issued a VeriSign Secure Server ID and which should give some measure of the authenticity of the site, is hosted on unlockedPhones-UK.com's own Web site. When a VeriSign seal is clicked on, it should open up a window displaying the url: https://digitalid.verisign.com. On unlockedPhones-UK.com, the page displayed by the fake Verisign seal is made to look as though it is hosted on Verisign's servers. The fake TRUSTe certificate, which would be hosted on that company's site if it were genuine, is also hosted on unlockedPhones-UK.com's site.