Free Certificates of Let’s Encrypt Being Used in Malvertising Campaign

Distribution of free digital certificates by an organization benefits cybercriminals, which is generating a difference over how to tackle this mishandling.

Trend Micro wrote on 5th January, 2016, stating that it exposed a cyberattack on 21st December which was designed to install banking malware on computers.

cio posted on 6th January, 2016, stating that cybercriminals had compromised a genuine website and created a subdomain leading to a server under their control. The subdomain will show a malicious advertisement, which would redirect user to sites hosting the Angler exploit kit that looks for vulnerabilities of software to install malware.

The subdomain used an SSL/TLS certificate, encrypting traffic between a server and the computer of a user.

The use of encryption protects the malware from security scanners of the network during transit and the certificate helps to legitimize the malicious site.

Before installing a certificate of Let's Encrypt, an anonymous web server was compromised by the attackers, an own subdomain was formed for website of the server, and acquired a free HTTPS certificate for that sub-domain. The certificate was issued by Let's Encrypt, a project that is run by the ISRG.

Let's Encrypt entered public beta on 3rd December, and used certificate of Let's Encrypt on 21st December to hide its operations as per the researchers of Trend Micro on the first malvertising campaign.

The campaign continued till 31st December, and affected mainly users located in Japan. Users, who received these malicious ads through this campaign, were taken to a page contained the Angler exploit kit, which infected them with Vawtrack banking Trojan.

This project is destined to see more abuses with webmasters realizing its actual capabilities as Let's Encrypt was installed on 1871 websites out of most famous 1 million websites.

As a policy, Let's Encrypt had decided not to cancel certificates. The organization explained in October that Certification Authorities (CAs) are not armed with police content.

It is very difficult for any CA to stop the creation of new certificates for different domains by attackers, and moreover CAs cannot identify and respond fast enough.

To stop malicious ads, online ad brokers can implement internal controls as alternative approach.

» SPAMfighter News - 1/12/2016