Let's Encrypt certificates issued for malvertising campaign

Let's Encrypt mean to make HTTPS encryption as easy and widely available as possible
Let's Encrypt mean to make HTTPS encryption as easy and widely available as possible

Free certificates are now being used to carry out malvertising campaigns, according to a report by Trend Micro. The Francis of Assisi of encryption, the group Let's Encrypt, has had its charity abused as cyber-criminals are now using the free services to con unwitting users.

Trend Micro discovered malicious sites with a Let's Encrypt certificate towards the end of December 2015, in traffic from Japan. Trend believes this scam is a small part of one the company uncovered in September last year, in which 3000 Japanese websites were hit and nearly 500,000 users were exposed to the malvertising campaign.

This specific scam leads those unwitting users to the infamous Angler Exploit Kit, a notoriously versatile piece of malware named for a hideously ugly fish which prowls the ocean depths. 

Let's Encrypt is a project with the intent of making encryption easier and cheaper by offering free domain validated SSL and TSL certificates. Let's Encrypt has essentially made the process of obtaining these certificates automated, where previously they involved a rather more complicated process involving payments to certificate authorities. 

Josh Aas, executive director of the Internet Security Research Group which founded Let's Encrypt, wrote of his intentions in a blog post earlier this year: “It's time for the Web to take a big step forward in terms of security and privacy. We want to see HTTPS become the default. Let's Encrypt was built to enable that by making it as easy as possible to get and manage certificates."

Lauded by cyber-security professionals and privacy groups alike, Let's Encrypt has experienced something of an auspicious beginning. It began a limited beta phase in September 2015 and entered public beta at the beginning of December.

Unfortunately, anyone good natured enough to hand out free encryption certificates is vulnerable to abuse. The attacker used ‘domain shadowing', to create illegitimate sub-domains within legitimate ones, meaning that those domain approved certificates that the generous souls at Let's Encrypt are handing out are not noticing that bad behaviour is happening in the nooks and crannies of approved domains.  

Speaking to SCMagazineUK.com, Bharat Mistry, cyber-security consultant at Trend Micro, explained how these certificates went unnoticed: “The hackers created a sub-domain for which they requested a new Lets Encrypt certificate – and because there is no stringent checking of the certificate requester, Lets Encrypt has generated and supplied a new certificate.” That certificate for the subdomain is then used to encrypt the traffic between the user and the malicious ad.

It's not too hard either, as Brian Spector, CEO of MIRACL, a cyber-security company, told SC. The attackers simply downloaded the ACME protocol agent onto a compromised machine and started the process of automatic certification from there. It's that simple: “All you need to do is compromise a desktop/server in someone's infrastructure, download the agent, get the certificate. Easy peasy.”

Spector said that is where Let's Encrypt is exacerbating the issue, “through automated certificate enrolment that removes the human checking that 'supposedly' distinguishes other commercial certificate issuing services from Let's Encrypt”.

That said, “What Let's Encrypt are trying to do is commendable,” said Spector. "They resolve the fact that obtaining commercial certificates is expensive and painful process that must be made easier to advance the goal of encrypting HTTP traffic everywhere.”

But Let's Encrypt also “provides a free alternative to commercial certificate authorities. Five American companies issue 95 percent of all commercial certificates across the globe. Essentially, five root keys control security across the Internet. The potential for abuse and subterfuge is frightening.” 

As we are seeing now, added Spector, “the road to hell is paved with good intentions.”

Josh Aas, executive director of the Internet Security Research Group, also spoke to SC, saying “we think the certificate ecosystem is not the appropriate mechanism to police phishing and malware on the web. Other mechanisms like Safe Browsing, SmartScreen, or in this case the advertising network's internal controls, are both more effective and more appropriate.” 

Adding that Let's Encrypt does check "the Google Safe Browsing API for phishing status before issuing certs, but we do not take action after that. It would be impractical and ineffective. We will not be revoking the certificates in question, but it looks like the sites in question have been taken down."