Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Help us make this site better and participate in our user survey.
Last Daily Podcast (Mon, May 22nd):Typosquatting (again);

Latest Diaries

Investigating Sites After They are Gone; And a Case of Uber Phishing With SSL

Published: 2017-05-22
Last Updated: 2017-05-22 20:53:02 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

A reader sent us an interesting find of a phishing site that is going after Uber credentials. Uber credentials are often stolen and resold to obtain free rides. One method the credentials are stolen is phishing. The latest example is using convincing looking Uber receipt emails. These emails feature a prominent link to "". then requests the user's Uber credentials to log in. Overall, the site uses the expected Uber layout. But more: The site uses a valid SSL certificate.

Turns out that the site was hosted behind a Cloudflare proxy. Cloudflare does issue free SSL certificates, and just like most certificate authorities, it only requires proof of domain ownership to obtain this service. This does make it more difficult to distinguish a fake site from the real thing.

Now by the time I started to investigate this, the original site was already taken down. But there was still some evidence left to see what happened. First of all, passive DNS databases did record the IP address of the site, which pointed to Cloudflare. Secondly, when searching certificate transparency logs, it was clear that a certificate for this site was issued to Cloudflare. Like for all Cloudflare certificates, the certificate was valid for a long list of hostnames hosted by Cloudflare. Sadly, it looks like whois history sites like Domaintools have no record of the site, so we do not know when it was exactly registered, but likely just before the domain started to get used. 

Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute

0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Typosquatting: Awareness and Hunting
May 20th 2017
2 days ago by Xme (0 comments)

My Little CVE Bot
May 18th 2017
4 days ago by Xme (2 comments)

Wait What? We don?t have to change passwords every 90 days?
May 17th 2017
4 days ago by Richard (1 comment)

WannaCry? Do your own data analysis.
May 16th 2017
5 days ago by Russ McRee (2 comments)

WannaCry/WannaCrypt Ransomware Summary
May 15th 2017
6 days ago by Johannes (4 comments)

View All Diaries →

Latest Discussions

What bot is that?
created May 5th 2017
2 weeks ago by Visi (2 replies)

Curious Phishing Email
created Apr 27th 2017
3 weeks ago by Rich (0 replies)

Preventing outside sources accessing the local network via open ports on a networked printer.
created Mar 28th 2017
1 month ago by mrectek (2 replies)

Very High DNS traffic
created Mar 26th 2017
1 month ago by Anonymous (0 replies)

Abnormal DNS Volumes
created Mar 26th 2017
1 month ago by Anonymous (3 replies)

View All Forums →

Latest News

View All News →

Top Diaries

OAUTH phishing against Google Docs ? beware!
May 3rd 2017
2 weeks ago by Bojan (6 comments)

Massive wave of ransomware ongoing
May 15th 2017
1 week ago by Xme (9 comments)

Malspam with password-protected Word documents
Mar 21st 2017
2 months ago by Brad (13 comments) DDoS Attack
Oct 21st 2016
7 months ago by Johannes (9 comments)

Microsoft Patch Tuesday Delayed
Feb 18th 2017
3 months ago by Johannes (7 comments)