Serg Nvns - Fotolia

Study reveals sale of SSL/TLS certificates on dark web

Security researchers discovered the availability of SSL/TLS certificates for sale on the dark web, which allow cybercriminals to disguise their malicious activity as legitimate.

A recent study uncovered the availability of SSL/TLS certificates on the dark web that are often packaged with crimeware services designed to help cybercriminals create malicious sites that appear safe.

The study, which was conducted by researchers at the Evidence-Based Cybersecurity Research Group at Georgia State University and the University of Surrey, focused on the underground SSL/TLS certificate marketplace and its role in the wider cybercrime economy.

Sponsored by Salt Lake City-based machine identity protection provider Venafi, the study revealed a steady supply of SSL/TLS certificates in five of the Tor network markets researchers observed: Dream Market, Wall Street Market, BlockBooth, Nightmare Market and Galaxy3.

While personal information like Social Security numbers sells for $1 on the dark web, the study found SSL/TLS certificates sell for $260 to $1,600, depending on the type of certificate and scope of additional services offered.

Some sellers offer aged domains -- websites that have been registered and active for a long period of time -- along with after-sale support and integration with a range of legitimate payment processors, the study revealed. Newer, or young, domains can sometimes be flagged by security products as potentially unsafe.  

Authentic SSL/TLS certificates allow cybercriminals to create sites for phishing campaigns and other malicious activity that evade several web browser security measures, like HTTPS checks and safe browsing modes. Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, said these dark web services essentially deliver "machine identities as a service" to cybercriminals. SSL/TLS certificates provide each machine with a unique machine identity and are used to convey trust to website visitors and search engines, Bocek said.  

"The identities of machines are a lot more valuable, a lot more interesting and a lot more important to hackers these days," he said. "Having a machine identity as part of your attack is actually a must-have today, because the browsers have now enforced a policy that if you don't have the TLS digital certificate, then your web service, website and your attack [are] going to be marked as not trusted at all. No hacker wants that."

Researchers found the vendors on online underground markets were offering the most trusted type of machine identity, the Extended Validation (EV) certificates for U.S. and U.K. companies, for less than $2,000, he added.

EV certificates allow the attackers to create trustworthy spoofed or malicious websites and encrypt the traffic between malicious servers to targeted users, making it difficult to spot problematic behavior, according to the report.

SSL/TLS certificates, Venafi, dark web
SSL certificates sold with website design services (Dream Market)

Safeguarding digital certificates

To ensure successful management of certificates and keys, organizations must have visibility into each of their SSL/TLS key and certificate, Bocek said, and they should recourse to automation for effective management of digital certificates.

SSL/TLS certificates, Venafi, dark web
EV certificates of U.S. companies -- no doc or verification required

An open framework like Certificate Transparency can also help security teams with monitoring SSL/TLS certificates, he added.

Monique Becenti, product and channel specialist at website security provider SiteLock, based in Scottsdale, Ariz., said she believes the sale of SSL/TLS certificates on the dark web is concerning, because consumers are advised to visit credible sites using SSL/TLS certificates to complete their online purchases.

"This proves the ingenuity cybercriminals possess to make money in a competitive and illegal underground marketplace," Becenti said in an email interview.

Marty Puranik, CEO of cloud computing and hosting services provider Atlantic.Net, based in Orlando, Fla., said he believes using tools for data exfiltration along with the SSL/TLS certificates may silently cause more damage over time.

"It will probably take a high-profile data leak related to this to escalate this as a major issue," Puranik said in an email interview. "Obviously, it's important for organizations to secure these certificates and reissue new ones -- and discontinue insecure ones -- in cases where they may have gotten out."

The identities of machines are a lot more valuable, a lot more interesting and a lot more important to hackers these days.
Kevin BocekVice president of security strategy and threat intelligence at Venafi

According to Andrew Howard, global CTO at Kudelski Security, the sale of SSL/TLS certificates should be expected as more of the internet becomes encrypted and attackers naturally migrate to techniques that attempt to circumvent this control.

"Internet users should not trust a site only because the SSL certificate is valid, even if it is an EV certificate," Howard said in an email interview. "As the report shows, these can also be spoofed with enough effort. It is our responsibility, as security professionals, to mitigate this attack vector, even if it proves difficult."

There are ways for organizations to safeguard their legitimate certificates, he said.

"The most secure method would be to use a hardware security module to store keys and perform the necessary cryptoprocessing," he said. "However, these devices can be expensive and may not be worth the price."

For those who are not using a strong hardware security, Howard said the focus should fall under monitoring for certificate misuse and evidence of compromise.

"If you only use your certificates sparingly, it may be enough to move your keys and signing activities to an isolated, secure network," he said. "For example, with code signing, keep your keys on an isolated system and just move your code to the system when it's ready to be signed. Ensure this network is never exposed to the internet and that you have strong processes in place to protect your keys from malicious insiders."

Dig Deeper on Identity and access management

Enterprise Desktop
  • Understanding how GPOs and Intune interact

    Group Policy and Microsoft Intune are both mature device management technologies with enterprise use cases. IT should know how to...

  • Comparing MSI vs. MSIX

    While MSI was the preferred method for distributing enterprise applications for decades, the MSIX format promises to improve upon...

  • How to install MSIX and msixbundle

    IT admins should know that one of the simplest ways to deploy Windows applications across a fleet of managed desktops is with an ...

Cloud Computing