Dozens of rogue self-signed SSL certificates used to impersonate high-profile sites

The certificates could be used to launch man-in-the-middle attacks against desktop and mobile apps with poor certificate validation

Dozens of self-signed SSL certificates created to impersonate banking, e-commerce and social networking websites have been found on the Web. The certificates don't pose a big threat to browser users, but could be used to launch man-in-the-middle attacks against users of many mobile apps, according to researchers from Internet services firm Netcraft who found the certificates.

"The fake certificates bear common names (CNs) which match the hostnames of their targets (e.g. www.facebook.com)," the Netcraft researchers said Wednesday in a blog post. "As the certificates are not signed by trusted certificate authorities, none will be regarded as valid by mainstream web browser software; however, an increasing amount of online banking traffic now originates from apps and other non-browser software which may fail to adequately check the validity of SSL certificates."

Among the self-signed certificates found by Netcraft were certificates for domain names belonging to Facebook, Google, Apple, Russian bank Svyaznoy and large Russian payment services provider Kiwi.ru.

If an application doesn't properly validate the authenticity of certificates it encounters, attackers can use self-signed certificates that are not issued by legitimate certificate authorities (CAs) to launch man-in-the-middle attacks against that application's users.

Such attacks involve intercepting the connections between targeted users and SSL-enabled services and re-encrypting the traffic with fake or forged certificates. Unless victims manually check the certificate details, which is not easy to do in mobile apps, they would have no idea that they're not communicating directly with the intended site.

In order to pull-off man-in-the-middle attacks, hackers need to gain a position that would allow them to intercept traffic. This is relatively easy to do on wireless networks using techniques like ARP spoofing, but can also be done by compromising a router or by hijacking the victim's DNS settings.

Web browsers are generally safe against man-in-the-middle attacks if attackers don't use valid certificates obtained illegally by theft or by compromising certificate authorities. That's because over the years the SSL implementations in browsers have been thoroughly tested, patched and strengthened.

If modern browsers encounter a self-signed certificate, they will prompt a hard-to-ignore warning that will force users to either stop or manually confirm that they want to proceed despite the security risks. However, that's not the case with many other desktop or mobile applications.

In 2012 a team of researchers from Stanford University and the University of Texas at Austin investigated the SSL implementations in many non-browser applications, both desktop and mobile. "Our main conclusion is that SSL certificate validation is completely broken in many critical software applications and libraries," they said in their research paper at the time. "When presented with self-signed and third-party certificates -- including a certificate issued by a legitimate authority to a domain called AllYourSSLAreBelongTo.us -- they establish SSL connections and send their secrets to a man-in-the-middle attacker."

That same year another team of researchers from the Leibniz University of Hannover and Philipps University of Marburg in Germany analyzed 13,500 popular Android applications from Google Play and found that 1,074 of those applications contained SSL code that either accepted all certificates -- including self-signed ones -- or accepted certificates issued by legitimate authorities for domain names different than the ones the apps connected to.

It doesn't seem things have changed too much over the past two years. Researchers from security firm IOActive recently analyzed mobile banking apps for iOS devices from 60 financial institutions from around the world and found that while most of them used SSL, 40 percent of them did not did not validate the authenticity of digital certificates they received from servers, making them vulnerable to man-in-the-middle attacks.

Some of the self-signed certificates found by Netcraft tried to mimic legitimate certificates down to the name of certificate authorities that supposedly issued them, which suggests they were specifically created for malicious purposes.

One rogue certificate for *.google.com was crafted to appear as if it were issued by America Online Root Certification Authority 42, closely mimicking a legitimate AOL CA trusted in all browsers, the Netcraft researchers said.

A certificate for login.iqbank.ru claimed to have been issued by Thawte, another legitimate certificate authority, and the rogue certificate for qiwi.ru claimed it had been issued by SecureTrust, a CA operated by Trustwave. The certificate for *.itunes.apple.com was crafted to appear as if it was signed by VeriSign.

This is in clear contrast with some self-signed certificates for high-profile domain names that were also found, but don't appear to be serving a malicious purpose. One such certificate, issued for several Google-owned domains, was signed by a made-up certificate authority called Kyocast Root CA. KyoCast is a third-party modification for rooted Chromecast devices that allows them to access services outside of Google. It intentionally redirects connections that should normally go to Google's services to servers operated by KyoCast and the self-signed the certificate is used in that operation.

There have been signs lately of cybercriminals becoming interested in large-scale man-in-the-middle attacks. The Polish Computer Emergency Response Team (CERT Polska) reported last week that attackers were exploiting vulnerabilities in home routers in Poland to change their DNS settings and intercept online banking traffic from users.

Those particular attacks used a technique called SSL stripping to overcome banks using HTTPS on their sites, but certificate chain validation weaknesses in mobile banking apps could easily be exploited to achieve the same result, and with fewer indications to victims that an attack is in progress.

Join the CSO newsletter!

Error: Please check your email address.

Tags online safetysecurityNetcraftCERT PolskaencryptionExploits / vulnerabilitiesprivacyIOActivepki

More about America OnlineAOLAppleCERT AustraliaComputer Emergency Response TeamFacebookGoogleNetcraftStanford UniversityThawteTrustwaveVeriSign Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place