In just one month, fraudsters were able to get the official SSL security ‘padlock' seal of approval for hundreds of fake websites impersonating banks and other companies, partly because the checks on them were minimal or non-existent.
According to Bath-based internet services provider Netcraft, during August sites purporting to be the official domains of PayPal, Halifax Bank and others managed to get SSL security clearance from the likes of CloudFlare, Symantec and GoDaddy.
Netcraft internet services developer Graham Edgecombe warned in a 12 October blog: “Consumers have been trained to ‘look for the padlock' in their browser before submitting sensitive information to websites, such as passwords and credit card numbers. However, a displayed padlock alone does not imply that a site using TLS (the successor to SSL) can be trusted, or is operated by a legitimate organisation.”
Fake sites that Netcraft found being used in phishing campaigns included ‘halifaxonline-uyk.com' and ‘emergencypaylap.net'. Netcraft also noted the plausible-looking site ‘natwestnwolb.co.uk' impersonating NatWest's online banking service, when the real site's name is ‘nwolb.com'.
Edgecombe highlighted the problem that fraudsters can obtain low-level Domain Validated (DV) SSL authentication – and the right to display the padlock – with only minimal ID checks and sometimes at no cost.
He said one certificate authority (CA), CloudFlare, which provides free ‘Universal SSL' certification in partnership with Comodo, ”is a hotspot for deceptive certificates, accounting for 40 percent of SSL certificates used by phishing attacks with deceptive domain names during August”.
He added: “CloudFlare's flexible SSL option also appeals to fraudsters, offering a padlock in victims' browsers without the need for attackers to set up SSL on their web servers.
“Comodo offers free 90-day certificates, which have been used by a number of SSL phishing attacks. Symantec also offers free 30-day certificates through its GeoTrust brand. The short validity periods are ideal for fraudsters as phishing attacks themselves typically have short lifetimes.”
Edgecombe also pointed out that Let's Encrypt is planning to offer free, automatically-issued DV certificates later in 2015.
He told SCMagazineUK.com that the problem of fake SSL certificates is not new, but price competition between CAs means the cost and levels of checks on certificates have fallen, while the quality of phishing sites has risen, putting online consumers at greater risk.
Edgecombe explained: “The tech industry has been telling users for years, if you want to enter credit card information on a website make sure it's got a padlock, make sure it's using SSL. But now anyone can go and get an SSL certificate for £5 or so, using minimal information, but it's verified.
“All the CA will check is that you own the domain name, and that's it. Some of them don't even check that the domain may be misused. One of the rules imposed on certificate authorities is they have to give additional scrutiny to domain names that may be used for fraudulent purposes, but these rules are quite vague.”
He added: “Some phishing sites with fake certificates are getting much harder for users to check – some of the screens look exactly like the real bank's website, and they've got an SSL certificate so you've got the padlock. The only way the user is going to know is by checking the domain name is correct and if you didn't know exactly what your bank's domain name was, you could be caught out.”
Edgecombe said some CAs do more verification of domain names than others, such as DigiCert and Entrust who do not supply the cheapest DV certificate. But he said: “Fraudsters go for the lowest-hanging fruit which is these cheap domain validated certificates.”
Commenting on the blog, independent UK cyber-security expert Amar Singh, founder of the Cyber Management Alliance, told SC: “This has been a major issue for some time. Anyone has a right to register any domain name and get a certificate. I recommend very highly to companies to register variations of their domain name so that spammers and phishers cannot do that.
“The current ecosystem for domain names and its related SSL trust issue is quite flawed. The only real current solution is to raise user awareness. Remind customers – ‘ folks keep an eye out' – on a regular basis. The problem is everything is being done one time, education one time. It's up to the banks, companies to educate not only their employees but customers on a regular basis.”
Edgecombe said Netcraft's figure of ‘hundreds' of phishing sites using SSL certificates in August was sourced from phishing reports from a variety of sources, and he could not confirm the total number of phishing attacks.
Kevin Bocek, VP at Venafi, told SC via email: “The fact that CAs are issuing these certificates with little thought to the potential misuse is unacceptable, yet increasingly common. In particular, we are seeing ‘free' CA offerings are particularly easy targets for hackers. This is bad for both businesses and consumers. The potential impact to business and the economy if people lose faith in the security of the online world could be catastrophic.
“Yet it is not only consumers that need to be concerned; it's business operating online – from banks, retailers, insurers, every business – that need to be concerned. There are over 200 CAs in operation, all are afforded the same level of trust but the reality is that they are often very different in terms of the level of fraud and security controls they have in place.
“Businesses have no way of telling which CAs are better or worse, yet they also face a huge risk that they're not responsible for creating. This is why Certificate Reputation – finding and knowing good certificates from bad – is so important.”
We contacted CloudFlare for a comment on Netcraft's blog but it did not immediately respond.