Let's Encrypt Issues 15,000 Fraudulent "PayPal" Certificates Used for Cybercrime
28.3.2017 Securityweek CyberCrime
Free and open Certificate Authority (CA) Let’s Encrypt has issued nearly 15,000 certificates containing the term “PayPal” for phishing sites to date, a security researcher has discovered.
According to encryption expert Vincent Lynch, 96.7% of the 15,270 security certificates containing the term PayPal that Let’s Encrypt has issued since March last year have been issued for phishing sites. Most of these certificates have been issued since November 2016.
Launched publicly in December 2015 and out of beta in April 2016, Let’s Encrypt is an initiative built on the idea of encrypting websites and serving them over Transport Layer Security (TLS), thus protecting users’ data from eavesdroppers. The CA’s certificates are offered for free, and the issuance and maintenance processes are automated, to make it easier for website owners to obtain certificates.
Even before being launched, Let’s Encrypt fueled fears that it could be abused by cybercriminals for their nefarious purposes. What’s more, the CA claims that it is not its job to stop malicious sites from using its certificates, meaning that phishers can use its certificates without fearing they might be banned, Lynch notes.
“Despite the concerns of many around the industry, Let’s Encrypt’s stance is in full compliance with industry standards. Regardless, that policy in combination with offering free certificates does create a very attractive environment for phishers,” he says.
In early March, the encryption expert urged Let’s Encrypt to stop issuing PayPal certificates because of their use for phishing. At the time, he estimated that the CA had issued 988 certificates containing the term PayPal, and that 99.5% of them were being used (or had been used) for phishing.
Now, based on newly received data, Lynch says that the previous number was a great underestimation and that Let’s Encrypt actually issued a total of 15,270 SSL certificates containing the word “PayPal,” 14,766 of which were (or are) used for phishing. The estimation is based on the analysis of a random sample of 1,000 certificates, 96.7% of which were intended for use on phishing sites.
The number of PalPal certificates issued by Let’s Encrypt has been growing at a steady rate of around 1250 per month since November last year, which was also the first month during which more than 1000 such certificates were issued (and twice the amount issued during the previous month). Thus, the CA issued 2530 PayPal certificates in December 2016, 3995 in January 2017, and 5101 in February 2017.
According to Lynch, there’s no apparent specific cause for the increase. However, it seems that the issuance rate has started to decline this month. Even so, Let’s Encrypt is expected to issue 20,000 additional PayPal certificates by the end of this year.
Phishing sites usually have a very short lifespan, mainly because they tend to be flagged and blocked rather fast, which explains why cybercriminals tend to register as many of them as possible. Making them look as legitimate as possible also helps these sites stay alive for longer.
“The various initiatives encouraging HTTPS are likely to appeal to phishers as well. There are a number of performance benefits (such as HTTP/2) only available to sites using HTTPS. In addition, sites using valid SSL certificates are given trusted UI indicators by browsers (the padlock icon in all browsers, the “Secure” label in Chrome) which make a phishing site look more legitimate,” Lynch notes.
In a mailed comment, Ilia Kolochenko, CEO of web security company High-Tech Bridge, told SecurityWeek that he agrees that CAs shouldn’t be responsible with the blocking of malicious websites from getting security certificates.
“I think we should separate HTTP traffic encryption and website identity verification questions. Let’s Encrypt’s mission is to globally convert plaintext HTTP traffic to encrypted HTTPS traffic, and they are doing it pretty well. Nonetheless, they should have foreseen massive abuse by phishers, and implement at least some basic security verifications, such as refusing SSL certificates for domains that contain popular brand names inside,” he said.
According to Kolochenko, the fact that web browsers mark HTTPS sites as trusted is actually a bigger issue in this regard, because they encourage users to blindly trust the website without any justifiable reason. Because of that, he says, it’s rather difficult to measure whose carelessness contributed more to the increase in phishing campaigns.
However, he also voiced fears that the idea of encrypting all web traffic could result in malware being able to bypass security mechanisms more efficiently:
“I am quite sure that if we will see how many of Let’s Encrypt SSL certificates are used by malware to exfiltrate stolen data – results will be pretty scary. Therefore, it’s difficult to predict how Let’s Encrypt will shape its growth strategy in the future to preclude cybercriminals from abusing its desire to make the web safer.”
Representatives from the Linux Foundation (the group behind the Let's Encrypt project) did not immediately respond to a request for comment.