First certificates, first abuse? Cyber security firm Trend Micro yesterday published a blog post detailing a malvertising campaign marked in Japan by their teams. The specificity of this is to use certificates issued by the new authority Let’s Encrypt, which particularly offers free certificates that users can deploy automatically.
“Unfortunately, the risk of abuse Let’s Encrypt certificates has always been present,” wrote Trend Micro on his blog. Cybercriminals have used a technique called “domain shadowing” (domain darkening).
The idea of shadowing domain is for attackers to recover the password used by the administrator of a legitimate domain name. This allows them to set up a subdomain without the knowledge of the legitimate administrators, hosting an advertisement that redirects users to the Angler Exploit Kit.
This page is then distributed via programmatic advertising tools that popularized on the web. This is what Trend Micro has spotted, and the company states that the certificates used by the attackers to their pages were issued by Let’s Encrypt the certification authority.
“Cases of this type, where the attackers are able to create a subdomain on a legitimate domain name are problematic. A CA that automatically issues certificates for these subdomains may unintentionally help criminals without the domain name in question the manager is aware of the approach and able to prevent it. The issuance of these certificates DV (Domain Validation) can allow attackers to strengthen their legitimacy in the public eye “summarizes Trend Micro on his blog.
Divergences on the role of certificates
Cyber security company called including the revocation of certificates issued by Let’s Encrypt but the CA does not say lends itself to. As explained in ZDNet Josh Aas, Executive Director of the ISRG “We do not believe that the certificates ecosystem is the appropriate mechanism to fight against phishing and malware on the web.
Other measures such SafeBrowsing, SmartScreen or in this case the advertising network control policy, are more effective and appropriate. “The CA refers to a blog post dated October explaining its position on the matter. Josh Aas therefore clarifies that the certificates in question had not been revoked, but the sites hosting malware were taken offline.
The burden of Trend Micro may seem surprising, but perhaps explains the turning of an explanation on their blog: cybersecurity company also has a certification authority and can be seen in the information the opportunity to break some sugar on the back of a competitor. For its part, let’s Encrypt prefers to keep his distance and recalls that its DV certificates are not meant to validate the content of sites that use its services.
Domains using Let’s Encrypt certificates nevertheless checked through the Google API SafeBrowsing, but considers that it is not its role to implement additional controls. In this scenario, one might as well throw the stone primarily to the holder of the offending domain name, which apparently left the keys hanging within reach of the cybercriminal.