Trusted SSL/TLS Certificates: The New Tool for Domain Spoofers

November 12, 2018
Trusted SSL/TLS Certificates: The New Tool for Domain Spoofers

The holiday season is fast approaching – this is just the perfect opportunity for cybercriminals to scam shoppers out of their hard-earned money.

According to Experian data, online shopping fraud attacks rose 30 percent in 2017 from 2016.

Online shoppers can be totally duped in a number of unsuspecting ways – Phishing emails may be sent which peddles supposed last-minute deals on desirable items; retailers may fail to implement secure encryption on their domains which can lead to Man-in-The-Middle (MiTM) attacks, or purchases may be made on fraudulent websites.

On Thursday, machine ID protection firm Venafi said that attacks on online purchases is a problem which is increasing in scope, with an “explosion” of look-alike, fraudulent domains appearing online.

After analyzing suspicious domains created to mimic the top 20 retailers in the US, UK, France, Germany, and Australia, the company found that not only is the number of fake domains multiplying, but many of them are using their own trusted TLS certificate. Talk about legit.

Combine this with a web address that only replaces a few characters and may pass when visitors’ eyes gloss over it and you have a problem. According to Venafi, it has become an “increasingly difficult” task for consumers to separate fraudulent domains from legitimate ones. When a trusted TLS certificate is thrown into the mix, fraudulent websites can appear safe as places to shop online.

Domain spoofing has always been a keystone technique of web attacks that focuses on social engineering, and the movement to encrypt all web traffic does not shield legitimate retailers against this very frequent method,” according to Jing Xie, Venafi senior threat intelligence analyst. “Because malicious domains now must have a legitimate TLS certificate in order to function, many companies feel that certificate issuers should own the responsibility of vetting the security of these certificates.”

The company’s research into the subject revealed that many fraudulent domains rely on certificates which are free, such as those on offer by Let’s Encrypt. The recent exploits of threat group Magecart are a perfectly good example of how shopping fraud can impact both consumers and retailers. One of the hacking outfit’s latest victims, US retailer Newegg, owns the domain Magecart registered a domain called together with a legitimate certificate issued by Comodo.

The legitimate domain was compromised with a card skimmer and the fake domain was pointed to a server that received credit card information stolen from Newegg customers.

A total 84% of the fake and malicious domains examined in the Venafi report uses free certificates from Let’s Encrypt to function and pose as legitimate. Venafi says that the total number of certificates issued for domains masquerading as legitimate, well-known retailers is over 200 percent greater than the number issued to valid e-commerce platforms.

“Ultimately, we should expect even more malicious lookalike websites designed for social engineering to pop up in the future,” Xie says. “In order to protect themselves, enterprises need effective means to discover domains that have a high probability of being malicious through monitoring and analyzing certificate transparency logs.”


About the author

Leave a Reply