SAN FRANCISCO – Thriving marketplaces for TLS certificates have emerged on the Dark Web, which are hawking the certs both as individual goods and packaged with an array of malware and other ancillary services.
The research, from Venafi, the University of Surrey and the Evidence-based Cybersecurity Research Group at the Andrew Young School of Policy Studies at Georgia State University, was released at the RSA Conference 2019 in San Francisco this week. It took a look at five representative markets on the Tor network: Dream Market, Wall Street Market, BlockBooth, Nightmare
Market and Galaxy3. It uncovered that all of them are essentially offering turn-key kits to cybercriminals who want to spoof websites, eavesdrop on encrypted traffic, perform man-in-the-middle attacks and steal sensitive data.
Legitimate TLS certificates allow adversaries to set up phishing and other malicious sites that look innocuous to security measures, meaning they can avoid being flagged by safe-browser software.
Researchers found extended validation certificates packaged with services to support malicious websites such as Google-indexed aged domains, after-sale support, web design services and even integration with a range of payment processors – including Stripe, PayPal and Square.
For instance, one vendor on the Wall Street Market sells the certificates, and provides the design of “trustworthy” e-commerce stores aimed to support the operation of online fraudulent activity.
“SSL certificates are mentioned second in the list of services offered by this vendor, along with ‘aged domains’ (i.e., websites that have been registered and active for a long period of time, which makes
the site appear to be more legitimate. SSL/TLS certificates and aged domains are used to convey trust to website visitors and search engines,” according to the report.
The analysis uncovered that at least one vendor on an underground market called BlockBooth promises to issue certificates from reputable Certificate Authorities along with forged company documentation – including D-U-N-S Numbers, which are unique nine-digit identification numbers that correspond to a physical location of a business.
The report explained that this package of products and services allows attackers to credibly present themselves as a trusted U.S. or U.K. company at an extremely affordable price point — less than $2,000.
Another vendor was seen offering full support in establishing a company’s identity in the U.K., in addition to all of the required legal documentation associated with the process. For $150, the client only needs to provide the company and owner names as well as some form of physical address. If buyers don’t have a physical address, the vendor offers to provide one for an extra $100.
“One very interesting aspect of this research was seeing TLS certificates packaged with wrap-around services – such as web design services – in order to give attackers immediate access to high levels of online credibility and trust,” said security researcher and report author David Maimon, associate professor and director of the Evidence-based Cybersecurity Research Group. “It was surprising to discover how easy and inexpensive it is to acquire extended validation certificates, along with all the documentation needed to create very credible shell companies without any verification information.”
Overall, the five markets were observed offering a steady supply of SSL/TLS certificates along with a range of related services and products. Prices for certificates vary from $260 to $1,600, depending on the type of certificate offered and the scope of additional services, the analysis found.
One representative search of these five marketplaces uncovered 2,943 mentions for “SSL” and 75 for “TLS.” In comparison, there were just 531 mentions for “ransomware” and 161 for “zero days.” It was also evident that some marketplaces – such as Dream Market – appear to specialize in the sale of TLS certificates. In addition, researchers found that certificates are often packaged with other crimeware, including ransomware.
“This study found clear evidence of the rampant sale of TLS certificates on the Dark Net,” said Kevin Bocek, vice president of security and threat intelligence for Venafi. “TLS certificates that act as trusted machine identities are clearly a key part of cybercriminal toolkits – just like bots, ransomware and spyware. There is a lot more research to do in this area, but every organization should be concerned that the certificates used to establish and maintain trust and privacy on the internet are being weaponized and sold as commodities to cybercriminals.”
Follow all of Threatpost’s RSA Conference 2019 coverage by visiting our special coverage section.