Thursday, May 18, 2017



CYBR650
Week 10



Let’s Encrypt Issues Fraudulent “PayPal Certificates

Let’s Encrypt is a company that offers free Certificate Authority (CA) certificates allowing websites the ability to use Transport Layer Security (TLS) to protect users from eaves dropping thus protecting their in transit data. The company was launched in December 2015 and was out of Beta testing in April 2016. Almost 15,000 fraudulent PayPal certificate were issue by Let’s Encrypt by November 2016, most used for Phishing attacks.

According to Ionut Arghire from Security Week magazine “Even before being launched, Let’s Encrypt fueled fears that it could be abused by cybercriminals for their nefarious purposes. What’s more, the CA claims that it is not its job to stop malicious sites from using its certificates, meaning that phishers can use its certificates without fearing they might be banned” (Arghire, 2017) With the easy access to the certificates fake PayPal CA’s are increasing monthly. It’s estimated that 2,530 were issued in December 2016, 3,995 in January 2017 and 5,101 in February 2017.

The number sound very alarming but according to Vincent Lynch an encryption expert “Phishing sites usually have a very short lifespan, mainly because they tend to be flagged and blocked rather fast, which explains why cybercriminals tend to register as many of them as possible. Making them look as legitimate as possible also helps these sites stay alive for longer. The various initiatives encouraging HTTPS are likely to appeal to phishers as well. There are a number of performance benefits (such as HTTP/2) only available to sites using HTTPS. In addition, sites using valid SSL certificates are given trusted UI indicators by browsers (the padlock icon in all browsers, the “Secure” label in Chrome) which make a phishing site look more legitimate,” (Arghire, 2017)


References


Arghire, I. (2017, Mar 27). Let's Encrypt Issues 15,000 Fraudulent "PayPal" Certificates Used for Cybercrime. Retrieved from Security Week: http://www.securityweek.com/lets-encrypt-issues-15000-fraudulent-paypal-certificates-used-cybercrime

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)