Malwarebytes - Phishing Scam Exploiting Free CloudFlare SSL Certificate

Malwarebytes recently highlighted that cybercriminals have used a free SSL certificate from CDN (content delivery network) and DNS (Domain Name System) provider CloudFlare in a phishing email to increase the trust level in a malicious link.

CloudFlare services had been abused before and the company announced on 29th September, 2014 that to increase protection of its customers, it would support SSL (Secure Sockets Layer) connections to each of its clients irrespective of their payment for a subscription or registration for free service.

With the help of this move, the company doubled the number of websites which supported encrypted connections.

Softpedia.com published news on 13th December, 2014 stating that Jerome Segura, a Security Researcher of Malwarebytes, has noticed a new email campaign leveraging a site benefiting from a free CloudFlare certificate to deliver malware.

The malicious message claimed that there is a notice from cloud-based, remote connectivity service provider LogMeIn about an alleged problem in extending the service subscription due to lack of funds.

The HTTPS link in the email indicated an invoice showing the details of the transaction and users mostly believed that the download file was authentic because it indicated a secure connection.

Malwarebytes reported this URL to CloudFlare and hopes that they can cancel the SSL certificate and close the site.

Blog.malwarebytes.org published news on 11th December, 2014 quoting Segura as saying "In some cases SSL certifications may be like digitally signed files where creating some level of trust but one should still be cautious and should not believe blindly that everything is fine."

It might be difficult to keep up with each and every new site which wants to abuse the system (cat-and-mouse game) although domain name, registrar details and registrant seemed to be suspicious in this case.

Malwarebytes says that they expect cyber criminals to start using more and more SSL as it is freely available and not very difficult to put in place.

Therefore, security experts advise to employ anti-phishing security software solution on your computer to reduce the success rate of such types of phishing campaigns.

» SPAMfighter News - 12/23/2014