SSL certificates are supposed to act as certification that a website is safe, secure and controlled by legitimate operators. However, a new study has uncovered thriving marketplaces for cybercriminals to buy and sell SSL certificates, which casts doubt on the level of protection that SSL offers.
SSL (Secure Sockets Layer) certificates provide a secure channel between two machines connected to the internet, which is most commonly used to allow secure communication between a web server and a web browser. Websites with a secure connection will display a lock and start with HTTPS. Unsecured websites will display a “Not Secure” warning, which is usually a good sign of a vulnerable or untrustworthy website.
In order to create one, an SSL certificate must be digitally signed by an organisation, which verifies its authenticity. This tells users that it is safe to enter sensitive information such as credit card details. However, this may no longer be enough to provide users with the security needed to protect against cybercrime.
SSL certificates for sale on the dark web
Sponsored by Venafi, a leader in providing machine identity protection, researchers from the Evidence-based Cybersecurity Research Group, Georgia State University and University of Surrey found five marketplaces on the Tor network that offered regular supplies of SSL certificates. With this, cybercriminals could spoof legitimate websites, steal sensitive data, spread malware and eavesdrop on users.
On one marketplace, a search for SSL certificates provided more than 2,900 results, far more than similar searches for ransomware (512 results), and zero-day exploits (160).
At least one seller was offering certificates from reputable certificate authorities, which came complete with forged company documentation that would allow the buyer to pose as a legitimate, trusted company based in the United States or United Kingdom.
SSL certificates were available to purchase for just $260, with prices increasing into the thousands depending on the type of certificate up for sale. Some sellers were found to be including these certificates bundled with web design services which offered to create ecommerce stores “for your frauding escapades” that are so believable that “even you won’t notice it’s a con-site”.
“This study found clear evidence of the rampant sale of TLS [Transport Layer Security] certificates on the dark web,” Kevin Bocek, vice president of security and threat intelligence for Venafi, said. “TSL certificates that act as trusted machine identities are clearly a key part of cybercriminal toolkits — just like bots, ransomware and spyware.”
“There is a lot more research to do in this area, but every organisation should be concerned that the certificates used to establish and maintain trust and privacy on the internet are being weaponised and sold as commodities to cybercriminals.”