The modus operandi for phishing attacks is straightforward: thieves spam out legitimate-looking messages with malicious links that, when clicked, dupe the victim into giving up passwords, credit card numbers and the like.
When they set up their sites, crooks need SSL certificates, and for the most part there’s no stopping them from getting one. Just as people fall for fake sites that look like something from their bank or HR department, the certificate provider can fail to tell the difference between the legitimate and fraudulent cert seeker.
Such is the case with Let’s Encrypt, a free, automated certificate authority that has issued 15,270 “PayPal” certificates to sites used for phishing.
PayPal a big target
SSL Store encryption expert Vincent Lynch has been watching it happen and asked Let’s Encrypt to stop issuing certificates containing the term “PayPal”. But in a blog post, he said the problem persists:
PayPal is a high-value target and Let’s Encrypt had already issued nearly 1,000 certificates containing the term PayPal, more than 99% of which were intended for phishing sites. With expanded research, we found our previous claim was a major underestimate. Let’s Encrypt has actually issued 15,270 PayPal certificates. This reveals the previously unknown extent of the Let’s Encrypt phishing phenomenon.
Assuming that current trends continue, he said Let’s Encrypt will issue 20,000 additional “PayPal” certificates by year’s end. Since its inception, Let’s Encrypt has taken a hands-off approach when it comes to issuing and revoking certificates because doing so runs counter to its goal of encrypting every website it can.
Lynch acknowledged that, and said his reason for writing the warning was to show how popular the use of SSL is on phishing sites:
If Let’s Encrypt will issue upwards of 35,000 “PayPal” certificates by the end of 2017, there are likely tens of thousands more targeting other popular sites and services. The security community, and internet users at large, should be aware of the extent of this activity.
Whose responsibility is it, anyway?
The big question in this situation is who bears responsibility for thwarting phishers. Let’s Encrypt’s policy is clear. From the website:
Deciding what to do here has been tough. On the one hand, we don’t like these sites any more than anyone else does, and our mission is to help build a safer and more secure Web. On the other hand, we’re not sure that certificate issuance (at least for Domain Validation) is the right level on which to be policing phishing and malware sites in 2015. This post explains our thinking in order to encourage a conversation about the CA ecosystem’s role in fighting these malicious sites.
In the final analysis, the organization says, certificate authorities are not well positioned to run anti-phishing and anti-malware operations:
They simply do not have sufficient ongoing visibility into sites’ content. The best CAs can do is check with organizations that have much greater content awareness, such as Microsoft and Google. Google and Microsoft consume vast quantities of data about the Web from massive crawling and reporting infrastructures.
In an email exchange, Let’s Encrypt executive director Josh Aas said a blanket block on the word “paypal” would prevent legitimate use while doing little or nothing to stop phishing and malware sites.
Naked Security has written about phishing at length, and the conclusion is usually that the fight rests with individual companies, employees and consumers.
To that end…
What companies should be doing
Since phishing is one of the easier ways for an attacker to steal a company’s sensitive information, the defense must start there.
To help raise awareness, security vendors have offered a number of products and services companies can use to launch simulations – essentially phishing fire drills — which can show employees up close how easy it is to be duped by social engineering. For Sophos customers, that product is Phish Threat.
Security awareness programs are not new, and some security experts have questioned their effectiveness, since users continue to make the same mistakes. Sophos’ response has been that simulations give awareness programs more teeth. The more employees get caught on the phishing hook during a simulation, the less likely they are to forget the lesson.
Though such simulations are an effective way to raise awareness, companies need to follow that up with concrete instructions to help employees stay above the fray.
What consumers should be doing
For consumers, we’ve repeatedly suggested the following:
- Be careful what you click. This one is painfully obvious, but users need a constant reminder.
- Check the address bar for the correct URL. The address bar in your web browser uses a URL to find the website you are looking for. The web address usually starts with either HTTP or HTTPS, followed by the domain name. The real websites of banks and many others use a secure connection that encrypts web traffic, called SSL or HTTPS. If you are expecting a secure HTTPS website for your bank, for example, make sure you see a URL beginning with https://before entering your private information.
- Look for the padlock for secure HTTPS websites. A secure HTTPS website has a padlock icon to the left of the web address.
- Consider using two-factor authentication for more security. When you try to log into a website with two-factor authentication (2FA), there’s an extra layer of security to make sure it’s you signing into your account.
Aas added this suggestion as well:
Use Google Safe Browsing, Microsoft SmartScreen, or some other safe browsing program. Those programs have vast resources devoted to consuming and evaluating content, and they can issue warnings and blocks very effectively.
Will
Doesn’t this issue suggest that consumers should rely more on “be careful what you click” and less on the second two tips? The scary part for me about this issue is that we’ve almost programmed people that if you see the green check mark or “https” you’re generally OK. At least with respect to PayPal sites, that’s clearly not true anymore. You have to scrutinize the URL (assuming you know exactly what it should be) and the details of the cert, or use a web filter of some sort to tell you that the site is indeed legitimate.
Bill Brenner
Hi, Will. Good question, and certainly one I wrestled with. Despite the nature of this particular problem, I included the other tips as well because — even if they don’t ensure safety as well as we thought, they will still help in many cases.
Mike
So, to follow-up to Will’s question: is there something new/extra people could be doing to avoid getting caught by these misleading/fake SSL certificates? e.g. what to look for when inspecting the certificates or something like that?
woalk
Banking Sites usually have Class 3 certificates: A big, green bar next to the lock icon that says “PayPal, Inc.” or similar. This cannot be phished with Let’s Encrypt, it is only given to legitimate companies. So everyone should keep a look if that is in their address bar or not.
Will
Maybe the real opportunity is on the browser side…if we start saying that encrypted/secure sites are “table stakes” on the net these days, then that might just have a basic security icon/color for those sites with a Let’s Encrypt cert that takes very little to get. Those that have certs requiring monetary investment AND a more stringent validation get the extra visuals (green color and lock icon)?
Maybe that’s what woalk is referencing below with different classes of certs. I plan on looking in to that – thanks!
Mahhn
With so many certs issued to scam sites, are we going to find out in the long run that letsencrypt, just like some stressor businesses, are the same people doing the scams? I would expect a Paypal cert would have to be approved by paypal.. but I guess not…. Smells phishy to me.
Can people just buy a certificate that says they are a (government, financial institution, healthcare provider) and just get one? Because I want one that says I’m the ruler of earth, and all UFOs must register (large fee) with me for approval to visit my planet.
rigowebs
If you own ‘iamruleroftheearth.com, then yes. Yes, you can get an SSL certificate for that site.
naerymdan
All of those ‘mississued’ certificates are for domains the phishers actually own and for which Compromise, Symantec, or any other would be more than happy to issue wildcard certificates for.
It’s not like LetsEncrypt issued PayPal.com or anything.
The real issue to me is that we have tied encryption of the communication with identify verification. If you don’t want passwords in plain text then you either have the horrible ‘warning possible hack’ page or you pay 300$ to Verisign? No thanks.
rigowebs
The article makes it seem that Lets Encrypt aren’t doing their job. However, it’s not their job to check the contents of the page.. but rather to ensure the connection is encrypted and secure. The onus is on the customers to ensure they know what they are clicking on, not on letsencrypt.
G H
Ok, aside from the irony of stating SSL certs are being blindly issued to phishing sites but they we should trust the green padlock…
Does Let’s Encrypt provide a feed of SSL certificates that have been issued and their domains, so that those responsible for security can be a bit more proactive about blocking suspect sites?
Paul Ducklin
Yes, Let’s Encrypt records all its issued certificates to public Certificate Transparency logs:
https://letsencrypt.org/certificates/
You can read more about Certificate Transparency here:
https://nakedsecurity.sophos.com/2013/01/08/the-turktrust-ssl-certificate-fiasco-what-happened-and-what-happens-next/
Note that these aren’t really “PayPal certificates”, as SSLStore (a paid-certificate issuer itself) rather cheekily describes them. They are, as we say in the article, “certificates with the text string paypal in them somewhere”, such as paypal DOT example DOT com.
(For example, the fact that Sophos owns a certificate for nakedsecurity DOT sophos DOT com is an entitlement because we own the right to use the top level domain sophos DOT com. It doesn’t invite you to infer we are a company called Naked Security.)
I can see why it might help for Let’s Encrypt to ban the string “paypal” in certificate domain names…
…but where to draw the line? Do you prevent any domain that has *anyone* else’s company name in there somewhere as a substring? If not, wouldn’t that be unfair to everyone else? For example, if you refuse to issue paypal DOT example DOT com, surely you also ought to block sophos DOT example DOT com, or even paypal-advice DOT example DOT com?
Companies are allowed to put strings like “paypal” into the right-hand part of a URL (after the slash), after all, and no one is talking about banning that practice, even though it’s been a staple of phishers for ages.
Mahhn
Something like this should be reviewed by the issuer for suspected fraud. In banking there are very many things that auto raise flags that are then reviewed by a person. Like someone writing a check to Prince Ubidubido in Niger for $500k, when they have a history of only paying bills. Fully automated certs sales just destroys the credibility of certs all together.
Anonymous
One thing I wish this article discussed which it failed to do so is Extended Validation. Browsers purposefully display thise certificates differently than others. These certificates do come with some validation of who is requesting them.
The certificates that Let’s Encrypt issues inky tell you that you’re talking to one website without evesdropping. They tell you nothing of the website you’re talking to. EV certs do tell you something about that.
GordonJ
One of the big issues here is that financial companies get us used to seeing different unrelated URL’s for their services, so they are easy for phishers to fake. MBNA.co.uk for example, when you click on “login” you get taken to bankcardservices.co.uk. So why would people be suspicious of, say, cardservices.co.uk?
Pieterjan
This is absolutely not a Let’s Encrypt related problem.
The job of a Certificate Authority is to verify a website/server.
To issue a domain-validated certificate, the job means verifying if the person requesting the certificate:
– has control over the domain name
– has control over the server
– has it’s RSA-encryption mechanism setup correctly
Let’s Encrypt meets all these requirements and therefore is trusted by all major webbrowsers.
If a visitor wants to be sure if the website he visits actually belongs to a specific organisation/company? That’s what Organisation Validated/Extended Validated certificates are for.
To obtain such a certificate, the requesting party also has to proof that it:
– actually posesses the company
Only if this additional check is met, the CA can issue an Organisation Validated/Extended Validated certificate.
Besides, if someone wants to host a fraudulent website where visitors are scammed for a total of 1 million dollar, and therefore wants a SSL-certificate, he will ABSOLUTELY NOT CARE spending a measily 90 € for a SSL-certificate from Comodo.
The only thing that needs to happen in today’s world is to make sure visitors understand the difference between those 3 types of certificates.
Cause clearly, you don’t understand.
Pingu
Once again “the bad folk” have got ahead of “the good folk” (© G W Bush).
The “good folk” have made us believe that the green padlock means you are connected to a “certified website” – when it does not! And the “bad folk” are exploiting that.
It is no good having a “certified communication channel” if it just securely connects you to the bad folk!
Randall
As others have pointed out, Extended Validation exists and it’s a good solution. PayPal, banks, etc, can pay extra for a more involved verification process and their customers can see a green bar or whatever, while personal servers and such can be properly encrypted for little or no expense.