Dozens of phony SSL certificates were discovered this week mocking legitimate certs from banks, e-commerce sites, ISPs and social networks. If a user stumbled over one of the bogus certificates on a mobile device it could put them at risk for a man-in-the-middle attack.

Disguised as official certificates from Google, Facebook, GoDaddy, YouTube and iTunes, just to name a few, the certs aren’t signed, so it’s unlikely they’ll dupe anyone using a conventional browser. Still though, Netcraft, the British security firm that wrote about the fake certificates yesterday on its blog, is sounding the alarm for users who frequently use apps or other non-browser software to access the Internet that may not check the legitimacy of SSL certificates.

While the attacker would have to be on either the same network as the victim, or sharing the same internet connection to carry out such an attack, that hasn’t stopped the certificates from spreading.

Netcraft broke down a handful of them, describing each one’s intentions Wednesday.

For starters a Google certificate the group found is being served by a machine in Romania and claims to have been issued by the America Online Root Certification Authority 42, a non-existent authority trying to pass itself off as America Online. Netcraft rationalizes the certificate could be aimed at executing an attack against “a multitude of Google services”

Another certificate was found impersonating GoDaddy’s POP mail server, something that according to Netcraft, could allow capturing mail credentials, issuing password resets and stealing sensitive data.

Elsewhere a fake YouTube cert was spotted blocking access to the site for Pakistani citizens, a forged iTunes cert was discovered – potentially for use in a scam, and a fake Facebook cert was found redirecting users to a phishing site.

Netcraft notes that the Facebook app is safe from attacks using this particular fake certificate because it “properly validates SSL certificates and also uses certificate pinning to ensure that it is protected against fraudulently issued certificates.”

Netcraft also found fake certificates pretending to come from Russia’s second largest bank, Svyaznoy Bank and a large Russian payment provider, KIWI International Processing Services.

Paul Mutton, an online security expert with Netcraft, points out several recent studies that suggest mobile websites may be more vulnerable to attacks using these vectors than previously thought.

Either a lack of certificate checks or broken SSL certificate validation has plagued Amazon’s EC2 Java Library, Amazon/PayPal’s merchant SDKs and shopping carts like osCommerce and ZenCart, along with Steam.

Netcraft also points out that 40 percent of banking apps recently tested by IOActive didn’t properly “validate the authenticity of SSL certificates” presented to the server, according to research last month, making them a prime target for man-in-the-middle attacks.

Man-in-the-middle attacks are a type of Internet-eavesdropping attack wherein the attacker can gain access to, send and receive data meant to be sent to someone else.

In these cases an attacker would be able to eavesdrop on either the network or the connection to communicate with the user’s mobile device and sniff online banking traffic or credentials before they’re sent along to their final destination.

Categories: Web Security

Comments (2)

  1. John
    1

    Just sent GoDaddy a note and a screen grab of a Message from Outlook telling me that smtpout.where.secureserver.net is not a Valid Certificate – name mismatch. Outlook, I suppose by default highlights the “Continue” button on the pop-up as opposed to “Cancel” -

    Reply
  2. bd
    2

    I am getting a certificate error on threatpost on my andrpid phone. It says the name doesnt match and when i view the site info it says something aboit linkedin and a png file?

    Reply

Leave A Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>