14,766 Let's Encrypt SSL Certificates Issued to PayPal Phishing Sites

[Solarquest]

During the past year, Let's Encrypt has issued a total of 15,270 SSL certificates that contained the word "PayPal" in the domain name or the certificate identity.

Of these, approximately 14,766 (96.7%) were issued for domains that hosted phishing sites, according to an analysis carried out on a small sample of 1,000 domains, by Vincent Lynch, encryption expert for The SSL Store.

Security experts have warned of Let's Encrypt abuse
Lynch's analysis comes to confirm some of the fears voiced as early as 2015, around Let's Encrypt's early launch phase.

Encryption and infosec experts warned that by providing free SSL certificates; phishers, tech support scammers, and other malware authors would flock to obtain free certificates and move their operations on HTTPS domains.

The first of these security incidents was a malvertising campaign that used Let's Encrypt certs, unearthed by Trend Micro in January 2016. Since then, there have been isolated cases, here and there, but nothing to hint at a mass abuse. Nevertheless, security researchers started spotting more and more of Let's Encrypt's certificates on malicious sites.

Phishers started abusing Let's Encrypt certs last year

......

 

[Amelith Nargothrond]

Oh crap.. sorry for my french. I hope they will not punish them as they did with Symantec.

Google Plans Major Blow for Symantec Certs

 

[Danielx64]

I'm not surprised at all by this really. I was going to use then but I found that I can get an SSL a different way for free.

 

[Amelith Nargothrond]

I'm not surprised at all by this really. I was going to use then but I found that I can get an SSL a different way for free.

Care to share your experience? Thanks!

 

[Danielx64]

Care to share your experience? Thanks!

I never used Let's Encrypt's certificates and I don't intend to. From what I been told (and I not checked myself) that Let's Encrypt's cert bot or whatever the system is calls home several times a minutes to an unknown IP address and send data to an unknown server.

Those who work on opensource projects (Like I do) can get a free SSL cert from:

SSL Certificate | Free Open Source Certificates - GoDaddy au

Free SSL Certificate for Open Source Projects

 

[Amelith Nargothrond]

I never used Let's Encrypt's certificates and I don't intend to. From what I been told (and I not checked myself) that Let's Encrypt's cert bot or whatever the system is calls home several times a minutes to an unknown IP address and send data to an unknown server.

Those who work on opensource projects (Like I do) can get a free SSL cert from:

SSL Certificate | Free Open Source Certificates - GoDaddy au

Free SSL Certificate for Open Source Projects

I'm guessing Google, Microsoft and the others would not have granted the "secure, trusted" tag for Let's Encrypt if it would not be.. well, secure. Just my thoughts on this. I mean look at the Symantec punishment...

Thanks for sharing the other two!

 

[Danielx64]

I'm guessing Google, Microsoft and the others would not have granted the "secure, trusted" tag for Let's Encrypt if it would not be.. well, secure. Just my thoughts on this. I mean look at the Symantec punishment...

Thanks for sharing the other two!

You are welcome Just remember that those 2 are for opensource projects only. (I don't want people to try and get one of those and come back crying because they couldn't).

 

[Amelith Nargothrond]

You are welcome Just remember that those 2 are for opensource projects only. (I don't want people to try and get one of those and come back crying because they couldn't).

Yep, i noticed the differences Thank you!

 

[Marko :)]

There should be some kind of verification process for getting SSL certificate. I'm not suprised by abuse.

 

[jamescv7]

Remember that HTTPS does not mean secure at all, sometimes it can be also a tool to lure using Man-in-the Middle attack scheme to gather information without user acknowledgement.

So definitely a thorough analysis on the websites we surf everyday; phishing are also smart enough to copy the same looking content for data stealing.

 

[Danielx64]

Remember that HTTPS does not mean secure at all, sometimes it can be also a tool to lure using Man-in-the Middle attack scheme to gather information without user acknowledgement.

So definitely a thorough analysis on the websites we surf everyday; phishing are also smart enough to copy the same looking content for data stealing.

Something to think about, I use a password manager that will fill out the forms for me. If I hit a fake paypal site, my password manager not going to fill out the login page for me is it? No because the URL that the password manager has won't match the URL in the address bar.

 

[Amelith Nargothrond]

Something to think about, I use a password manager that will fill out the forms for me. If I hit a fake paypal site, my password manager not going to fill out the login page for me is it? No because the URL that the password manager has won't match the URL in the address bar.

Hopefully not, unless it has a bug of dinosaur dimensions

 

[Danielx64]

Hopefully not, unless it has a bug of dinosaur dimensions

Of course you shouldn't rely on it 100 but it will help though. Also having 2FA on will help as well.

 

[Bot]

Let's Encrypt, a free and open Certificate Authority, has issued close to 15,000 certificates containing the term "PayPal" for phishing sites.

The discovery was made by encryption expert Vincent Lynch, who says 96.7% of the 15,270 security certificates featuring the term "PayPal" issued by Let's Encrypt in the past year have been for phishing sites. The highest density of certificates was issued starting in November 2016, data shows.

Let's Encrypt hasn't been around for very long. In fact, it entered public beta back in December 2015 was out of beta by April. The idea behind the service is to encrypt websites and serve them over TLS in order to protect users' data from eavesdroppers. The point of these certificates is to reassure visitors of the webpages that the sites are safe.

Read more: Let's Encrypt Hands Out 15,000 Fraudulent Security Certificates to Phishers

 

[Ink]

No checks were made, appalling."Let's Encrypt" is not reassuring, but assisting criminal activities.

 

[Danielx64]

I wonder if startssl.com has the same issue as well since they also give free SSL out too