So, it’s that time of year where we’re stuck trying to figure out which costume to wear this Halloween season. But for cyber criminals, it may not be that difficult of a choice. Most simply opt for the costume that gives them the biggest bang for the buck. Why not dress up as a legitimate company using TLS certificates? When your malicious website sports a trusted certificate, you’ll appear to be on the up and up. But what’s really scary is that that most people will assume that you aren’t dressed up at all.
Attackers have long been using TLS channels as part of a full attack cycle, from delivering exploits and payloads to pointing victims to phishing pages or compromised sites in a bid to fake authenticity. To fuel this appetite for trust, there is a bourgeoning market for TLS certificates on the Dark Web, where cyber attackers are willing to pay top dollar for them. Venafi research found that attackers are willing to pay up to $2000 for a code signing certificate on the Dark Web.
And to date, criminals have been relatively successful in wearing this type of TLS costume to hide big attacks, such as the Zeus botnet. And this year, at least one cybercriminal is dressed up as the United Nations. Indeed, cyber criminals are impersonating legitimate Microsoft Office 365 login pages on mobile devices in a phishing campaign that targets organizations, such as the United Nations, UNICEF and UN World Food.
According to BleepingComputer, “Targeting mobile users is a well-known tactic used by phishers given that the mobile web browsers will help them obfuscate the phishing URLs by truncating them, thus making it a lot harder for their targets to discover that they are under attack.”
And here’s where the TLS costume really gets nefarious, notes Kevin Bocek, vice president, of security strategy and threat intelligence at Venafi. “These latest attacks targeting United Nations and global charity websites use TLS certificates to make malicious domains appear legitimate, they take advantage of the implicit trust users have in the green padlock created by TLS certificates. Internet users have been trained to look for a green padlock when they visit websites, and bad actors are using SSL/TLS certificates to impersonate all kinds of organizations.”
Bocek also warns that while this technique may appear sophisticated, these types of phishing attacks are very common. For example, in 2017, security researchers uncovered over 15,000 certificates containing the word ‘PayPal’ that were being used in attacks. And in June, the FBI issued a warning stating that the green padlock on websites doesn’t mean the domain is trustworthy and safe from cyber criminals.
In order to protect businesses and users, security teams must identify all the legitimate TLS certificates on their own networks. They also need to identify fraudulent certificates issued by attackers that are being used to impersonate their organization. Bocek advises that “Technologies like certificate transparency and certificate reputation can definitely help, but as the number of certificates issued every day continues to skyrocket, more help is definitely needed.”
Who is dressing up as your website this Halloween?