Certificate authorities Let’s Encrypt and Comodo were responsible for nearly all phishing sites with valid SSL/TLS certificates, according to a new analysis.
Anti-phishing firm Netcraft says it blocked 47,500 sites with a valid SSL certificate in the first quarter of 2017, with 61 percent of the sites using certificates from Let’s Encrypt and 36 percent from Comodo. Two years ago Netcraft found that CloudFlare was the main provider of SSL certificates for phishing sites.
The sites were blocked based on an analysis by Netcraft’s Deceptive Domain Score service, which checks whether a hostname or domain name is likely being used to impersonate another firm. Example hostnames that scored extremely high included “login-appleid.com-direct-apple.com", “payepal.com-signin-country-localed.access-logons.com", “payqal.limited”, and “servicesonline-americanexpress.com”.
Both CAs offer free SSL certificates, supported by automated processes, which make them attractive to fraudsters, notes Netcraft internet services manager, Robert Duncan.
Gaining a valid certificate helps convince victims the site is valid since browsers display a padlock or “secure” label to indicate a secure connection.
Netcraft has seen a surge in the number of phishing certificates since the beginning of the year. It currently blocks 2,326 phishing certificates from Let’s Encrypt and 1,706 from Comodo, which dwarf phishing certificates other major CA’s, such as GoDaddy and Symantec. Last September it was blocking less than 500 phishing certificates.
Duncan is calling for the two CA’s to do more to prevent fraud by not issuing certificates for obvious phishing domains, such as the bogus Apple and PayPal domains.
The call for change follows a report in March that Let’s Encrypt had issued over 15,000 SSL certificates that contained the word PayPal. An analysis of 1,000 of the domains found that 96.7 percent of the domains hosted phishing sites, BleepingComputer reported at the time.
Duncan says Let’s Encrypt’s policy to check with Google’s Safe Browsing API for phishing sites does not provide effective “pre-issuance blocking”.
“It does not match the reality of automated certificate deployment, where the certificate is likely to be issued and installed before the phishing content has been uploaded, detected, and blocked,” he notes.
“All of the Let's Encrypt certificates that Netcraft found on phishing sites were issued despite the Safe Browsing check and the additional name-based blocking,” he added.
The phishing certificates can be confusing for end users in the context of how Chrome and Firefox indicate that a site has a valid digital certificate.
In Chrome, HTTPS sites are labelled “Secure”, which is intended to convey to the user they’re using an encrypted connection. Chrome labels login pages as “Not Secure” if it doesn’t use an SSL certificate. Firefox also issues a “not secure” warning on the password field if it’s not an HTTPS page. The problem is that a phishing page with a valid certificate benefits from the “Secure” label, which may lull some users into a false sense of security.
“These warnings are likely to increase the prevalence of TLS on phishing sites, with fraudsters deploying TLS to both gain the positive "Secure" indicator, and now to avoid negative indicators when collecting passwords,” argues Duncan.