SSL/TLS certificates do thriving trade on dark web

By Dylan Bushell-Embling
Thursday, 07 March, 2019

TLS certificates are being sold on the dark web, both individually and packaged with a wide range of crimeware, according to new research sponsored by machine identity protection provider Venafi.

The research, conducted by the Evidence-based Cybersecurity Research Group at the Andrew Young School of Policy Studies at Georgia State University and the University of Surrey, found evidence of thriving marketplaces for misappropriated TLS and SSL certificates.

Five black markets on the Tor network were found to offer a steady supply of SSL/TLS certificates, at prices varying from US$260 to US$1600 depending on the type offered and the scope of bundled services.

These services together with the illicit certificates provide cybercriminals with what is effectively a machine-identities-as-a-service offering, allowing them to spoof websites, eavesdrop on encrypted traffic, perform man-in-the-middle attacks and steal sensitive data.

One search of the five black markets conducted by the researchers found nearly six times as many mentions of SSL as there were for ransomware.

Among the wares uncovered by the researchers included extended validation certificates and services to support malicious websites, such as Google-indexed aged domains, and even web design services and integration with payment processors such as PayPal, Stripe and Square.

At least one vendor offers certificates from reputable authorities packaged with forged company documentation that allows attackers to credibly present themselves as a trusted US or UK company for less than US$2000.

Security researcher and report author Dr David Maimon, associate professor and director of the Evidence-based Cybersecurity Research Group, said the findings of the research represent cause for concern for internet security.

“One very interesting aspect of this research was seeing TLS certificates packaged with wraparound services — such as web design services — in order to give attackers immediate access to high levels of online credibility and trust,” he said.

“It was surprising to discover how easy and inexpensive it is to acquire extended validation certificates, along with all the documentation needed to create very credible shell companies without any verification information.”

Image credit: ©stock.adobe.com/au/Leo Lintang

Information Technology Professionals Association (ITPA) is a not-for-profit organisation focused on continual professional development for its 18,700 members. To learn more about becoming an ITPA member, and the range of training opportunities, mentoring programs, events and online forums available, go to www.itpa.org.au.