In just one month, fraudsters were able to get the official SSL security ‘padlock' seal of approval for hundreds of fake websites impersonating banks and other companies, partly because the checks on them were minimal or non-existent.
According to Bath-based internet services provider Netcraft, during August sites purporting to be the official domains of PayPal, Halifax Bank and others managed to get SSL security clearance from the likes of CloudFlare, Symantec and GoDaddy.
Netcraft internet services developer Graham Edgecombe warned in a 12 October blog: “Consumers have been trained to ‘look for the padlock' in their browser before submitting sensitive information to websites, such as passwords and credit card numbers. However, a displayed padlock alone does not imply that a site using TLS (the successor to SSL) can be trusted, or is operated by a legitimate organisation.”
Fake sites that Netcraft found being used in phishing campaigns included ‘halifaxonline-uyk.com' and ‘emergencypaylap.net'. Netcraft also noted the plausible-looking site ‘natwestnwolb.co.uk' impersonating NatWest's online banking service, when the real site's name is ‘nwolb.com'.
Edgecombe highlighted the problem that fraudsters can obtain low-level Domain Validated (DV) SSL authentication – and the right to display the padlock – with only minimal ID checks and sometimes at no cost.
He said one certificate authority (CA), CloudFlare, which provides free ‘Universal SSL' certification in partnership with Comodo, ”is a hotspot for deceptive certificates, accounting for 40 percent of SSL certificates used by phishing attacks with deceptive domain names during August”.
He added: “CloudFlare's flexible SSL option also appeals to fraudsters, offering a padlock in victims' browsers without the need for attackers to set up SSL on their web servers.
“Comodo offers free 90-day certificates, which have been used by a number of SSL phishing attacks. Symantec also offers free 30-day certificates through its GeoTrust brand. The short validity periods are ideal for fraudsters as phishing attacks themselves typically have short lifetimes.”
Edgecombe also pointed out that Let's Encrypt is planning to offer free, automatically-issued DV certificates later in 2015.
He told SCMagazineUK.com that the problem of fake SSL certificates is not new, but price competition between CAs means the cost and levels of checks on certificates have fallen, while the quality of phishing sites has risen, putting online consumers at greater risk.
Edgecombe explained: “The tech industry has been telling users for years, if you want to enter credit card information on a website make sure it's got a padlock, make sure it's using SSL. But now anyone can go and get an SSL certificate for £5 or so, using minimal information, but it's verified.
“All the CA will check is that you own the domain name, and that's it. Some of them don't even check that the domain may be misused. One of the rules imposed on certificate authorities is they have to give additional scrutiny to domain names that may be used for fraudulent purposes, but these rules are quite vague.”