New Scam: Hackers Use Phony Certificate To Seal Victims' ID-Fates

A new approach to password/account info-theft appeals to users' desire for enhanced protection, rather than directly asking for info. The scam asks users to install an important digital security certificate -- which is, of course, anything but secure.Noted by security firm F-Secure over the last few days, the so-called "fly phishing" con looks as slick and "legit" as any I've seen.

Its masterstroke is its spot-on mimicry of banker boilerplate (and for that matter of techy install-prose) as it walks the recipient through the steps required to install the digital certificate that will enhance their security and simplify their bank's sign-on process.

What's installed, for those who bite at the fly phish, is a trojan that then captures passwords, account numbers etc.

The user is never once asked for an identifying number or piece of confidential information.

This one is smooth and polished, with a razor-sharp barb that might prove more effective than the "we need your password" approach that has long-since approached and passed the point of diminishing returns.

F-Secure has a nice YouTube video of the scam here.