14,766 Let's Encrypt SSL Certificates Issued to PayPal Phishing Sites

Solarquest

Solarquest

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
During the past year, Let's Encrypt has issued a total of 15,270 SSL certificates that contained the word "PayPal" in the domain name or the certificate identity.

Of these, approximately 14,766 (96.7%) were issued for domains that hosted phishing sites, according to an analysis carried out on a small sample of 1,000 domains, by Vincent Lynch, encryption expert for The SSL Store.

Security experts have warned of Let's Encrypt abuse
Lynch's analysis comes to confirm some of the fears voiced as early as 2015, around Let's Encrypt's early launch phase.

Encryption and infosec experts warned that by providing free SSL certificates; phishers, tech support scammers, and other malware authors would flock to obtain free certificates and move their operations on HTTPS domains.

The first of these security incidents was a malvertising campaign that used Let's Encrypt certs, unearthed by Trend Micro in January 2016. Since then, there have been isolated cases, here and there, but nothing to hint at a mass abuse. Nevertheless, security researchers started spotting more and more of Let's Encrypt's certificates on malicious sites.

Phishers started abusing Let's Encrypt certs last year

......
 
  • Like
Reactions: giants8058, BugCode, shukla44 and 6 others
Danielx64

Danielx64

Level 10
Verified
Well-known
Mar 24, 2017
481
Amelith Nargothrond said:
Care to share your experience? Thanks!
Click to expand...
I never used Let's Encrypt's certificates and I don't intend to. From what I been told (and I not checked myself) that Let's Encrypt's cert bot or whatever the system is calls home several times a minutes to an unknown IP address and send data to an unknown server.

Those who work on opensource projects (Like I do) can get a free SSL cert from:

SSL Certificate | Free Open Source Certificates - GoDaddy au

Free SSL Certificate for Open Source Projects
 
  • Like
Reactions: shukla44 and Amelith Nargothrond
Amelith Nargothrond

Amelith Nargothrond

Level 12
Verified
Top Poster
Well-known
Mar 22, 2017
587
Danielx64 said:
I never used Let's Encrypt's certificates and I don't intend to. From what I been told (and I not checked myself) that Let's Encrypt's cert bot or whatever the system is calls home several times a minutes to an unknown IP address and send data to an unknown server.

Those who work on opensource projects (Like I do) can get a free SSL cert from:

SSL Certificate | Free Open Source Certificates - GoDaddy au

Free SSL Certificate for Open Source Projects
Click to expand...

I'm guessing Google, Microsoft and the others would not have granted the "secure, trusted" tag for Let's Encrypt if it would not be.. well, secure. Just my thoughts on this. I mean look at the Symantec punishment...

Thanks for sharing the other two!
 
  • Like
Reactions: frogboy
Danielx64

Danielx64

Level 10
Verified
Well-known
Mar 24, 2017
481
Amelith Nargothrond said:
I'm guessing Google, Microsoft and the others would not have granted the "secure, trusted" tag for Let's Encrypt if it would not be.. well, secure. Just my thoughts on this. I mean look at the Symantec punishment...

Thanks for sharing the other two!
Click to expand...
You are welcome :) Just remember that those 2 are for opensource projects only. (I don't want people to try and get one of those and come back crying because they couldn't).
 
  • Like
Reactions: Amelith Nargothrond and frogboy
jamescv7

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
Remember that HTTPS does not mean secure at all, sometimes it can be also a tool to lure using Man-in-the Middle attack scheme to gather information without user acknowledgement.

So definitely a thorough analysis on the websites we surf everyday; phishing are also smart enough to copy the same looking content for data stealing.
 
  • Like
Reactions: shukla44
Danielx64

Danielx64

Level 10
Verified
Well-known
Mar 24, 2017
481
jamescv7 said:
Remember that HTTPS does not mean secure at all, sometimes it can be also a tool to lure using Man-in-the Middle attack scheme to gather information without user acknowledgement.

So definitely a thorough analysis on the websites we surf everyday; phishing are also smart enough to copy the same looking content for data stealing.
Click to expand...
Something to think about, I use a password manager that will fill out the forms for me. If I hit a fake paypal site, my password manager not going to fill out the login page for me is it? No because the URL that the password manager has won't match the URL in the address bar.
 
Amelith Nargothrond

Amelith Nargothrond

Level 12
Verified
Top Poster
Well-known
Mar 22, 2017
587
Danielx64 said:
Something to think about, I use a password manager that will fill out the forms for me. If I hit a fake paypal site, my password manager not going to fill out the login page for me is it? No because the URL that the password manager has won't match the URL in the address bar.
Click to expand...

Hopefully not, unless it has a bug of dinosaur dimensions :p
 
Bot

Bot

AI-powered Bot
Verified
Apr 21, 2016
3,508
let-s-encrypt-hands-out-15-000-fraudulent-security-certificates-to-phishers.jpg


Let's Encrypt, a free and open Certificate Authority, has issued close to 15,000 certificates containing the term "PayPal" for phishing sites.

The discovery was made by encryption expert Vincent Lynch, who says 96.7% of the 15,270 security certificates featuring the term "PayPal" issued by Let's Encrypt in the past year have been for phishing sites. The highest density of certificates was issued starting in November 2016, data shows.

Let's Encrypt hasn't been around for very long. In fact, it entered public beta back in December 2015 was out of beta by April. The idea behind the service is to encrypt websites and serve them over TLS in order to protect users' data from eavesdroppers. The point of these certificates is to reassure visitors of the webpages that the sites are safe.

Read more: Let's Encrypt Hands Out 15,000 Fraudulent Security Certificates to Phishers
 
Last edited by a moderator:
Ink

Ink

Administrator
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
No checks were made, appalling."Let's Encrypt" is not reassuring, but assisting criminal activities.
 
  • Like
Reactions: Danielx64
Danielx64

Danielx64

Level 10
Verified
Well-known
Mar 24, 2017
481
I wonder if startssl.com has the same issue as well since they also give free SSL out too
 
You must log in or register to reply here.

Similar threads

silversurfer
    • Like
Hundreds of eBike phishing sites abuse Google Ads to push scams
Replies
0
Views
816
News Archive
silversurfer
silversurfer
HReview
    • Like
    • Applause
US NSA urged Sysadmins to Abandon Outdated Versions of TLS
Replies
0
Views
921
News Archive
HReview
HReview
Gandalf_The_Grey
    • Like
    • Applause
    • Thanks
Advice Request You Probably Don't Need a VPN
Replies
5
Views
2,019
VPN and DNS
xtrazone
X

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top