Argh Spammers and Scammers!
(re-posted)
I just got a notification from “Certstar” that one of my company SSLs was about to expire. They’re right, it is. But it’s got absolutely nothing to do with them, it’s a Verisign SSL! They infer that they are the certificate suppliers and that they’re acting in my best interests, when in fact all they are trying to do is sell me a low-trust certificate. Thier own website is secured by a cheap Comodo SSL.
This is nasty. Small businesses that might not necessarily be IT-centric won’t always have the tech savvy to be able to spot scams like this, especially when it’s put in scary terms. So spread the word, please: use certificate expiry notices only as reminders to go and check with your current provider.
Update 26 Dec 2008: the cancer spreads! SSL Certificate for Mozilla.com Issued Without Validation
Other addresses on that website:
Did you enjoy this post? Why not leave a comment below and continue the conversation, or subscribe to my feed and get articles like this delivered automatically to your feed reader.
Comments
Thanks for posting this! I do a website for a non-profit, and the IT-illiterate head of the organization just forwarded me a “certstar.com” e-mail telling him our cert has expired. He was planning on paying it and sending me the mail just to keep me in the loop (he thought it was about our domain name).
Who do we report these to? FBI? Federal trade commission?
Andrea: I’m not sure who they should be reported to. Technically they are offering a service and they don’t actually *state* as such that they are your certificate provider. But this is the worst kind of scamming spam, so certainly follow jlearkedal’s lead (I will), report them to thier ISP and add a drop-all-from rule to your mailfilter and firewall.
Yes it happened to me last week. I even bought 3 years. Yikes! I realized immediately what I did. I called my credit card and they wouldn’t exclude it. Then I e mailed certstar and said reverse it . They were not response back however, they did reverse the credit card charges. I am afraid I may have put in valuable information in trying to renew, but I can’t remember . jive company that certainly has my CC # could be given to another source of disreputatbles Any advise out there?
Usually some one else handles this stuff and I usually go with Thawte but they certainly didn’t alert me my ssl as about to expire. Great
Delilah.
Delilah: general advice if you’ve lost control of your credit card details – call your card issuer right away and TELL THEM. Ask that they immediately block any further purchases against that card number, and issue a new card right away with a new number. Beware any recurring payments you may have set up on the card, you might need to get hold of the payees and change arrangements.
Hi, Just the same occurred for me. It is quite recently, however, that “Certstar” got the “bright” idea of spamming everyone with a soon-to-expire SSL certificate. I can see in my webserver logs, they first probed on the 4. december, and have been probing daily since the 7. dec. I sent a complaint to their upstreams provider, and blocked them in our systems. Best regards Jlaerkedal