Scroll Top

Certificate authorities duped to sell legitimate digital certificates that can spread malware

By now you may have experienced an incident where you received an email that promised you are going to get an inheritance for a large lump sum or you may have even got an email from someone posing to be your boss requesting a demand like even buying a digital certificate. Yes. Digital Certificate Fraud. One of the ways, these emails can pose a threat to you, your system and your information is through the wrong use of a digital certificate. A wrong digital certificate that you may have purchased.

Researchers have identified a new kind of certificate fraud that involves the purchasing of legitimate digital certificates that could be used to spread, you guessed it, malware. The certificates thus bought, are sold on the black market to potential buyers.

So how does all this even begin or happen?

The fraud attack begins with the reconnaissance phase in which threat actors select the right target to impersonate. For this, they have to trawl through publicly available information.

“A person well-established in their industry, with easily verifiable history is a preferred target. Since the goal is to acquire a code signing certificate, the perfect victim is someone working in the software industry,” not a researcher who provided the story or blog post.

LinkedIn has become a viable place to search for these targets.  Once targets are identified, threat actors, scrap the details from their public LinkedIn profile page in order to pass their identity validation process.

How to validate a domain

Researchers note that the attackers aim to use the top-level domain to mislead the certificate authority during their identity validation process.

“The gamble is that the person verifying the certificate issuance request will assume that the same company owns both the global .COM and the regional: CO.UK domains for their business, reads the analysis published by experts.

The final execution steps

When everything in terms of infrastructure is in place, then threat actors will proceed to purchase the certificates and verify them. The verification is done using public antivirus scanning services.

So once verification is done, the order then has been placed and the payment has been made, it only takes a few days for the purchase to be fulfilled. The payment can be done through Skrill, PayPal, and WebMoney. So as always, be mindful of emails that you receive by checking who the sender is.

Like and follow us on social media (we are on LinkedIn, Facebook, Twitter and Instagram). Your business matters. Protect it.

Researchers have identified a new kind of certificate fraud that involves the purchasing of legitimate digital certificates that could be used to spread, you guessed it, malware. The certificates thus bought, are sold on the black market to potential buyers.

Related Posts