There is no dearth of compromised, fake and forged SSL/TLS certificates for sale on dark web markets, researchers have found.
TLS certificates are sold individually and packaged with a wide range of crimeware. Together these services deliver machine-identities-as-a-service to cybercriminals who wish to spoof websites, eavesdrop on encrypted traffic, perform man-in-the-middle attacks and steal sensitive data.
The results of the research
The researchers dove into online markets and hacker forums that were active on the Tor network, I2P and the Freenet from October 2018 to January 2019 and searched for “for sale” ads of compromised, fake and forged TLS certificates. They conducted 16 weekly searches, discovering nearly 60 relevant online markets webpage on Tor and 17 webpages on I2P, and reviewed the listings in detail and, in some cases, engaged in conversation with sellers to gain a better understanding of the goods and services being sold.
“One very interesting aspect of this research was seeing TLS certificates packaged with wrap-around services – such as web design services – in order to give attackers immediate access to high levels of online credibility and trust,” said security researcher and report author David Maimon, associate professor and director of the Evidence-based Cybersecurity Research Group. “It was surprising to discover how easy and inexpensive it is to acquire extended validation certificates, along with all the documentation needed to create very credible shell companies without any verification information.”
Key study findings include:
- Five of the Tor network markets observed, offer a steady supply of SSL/TLS certificates, along with a range of related services and products.
- Prices for certificates vary from $260 to $1,600, depending on the type of certificate offered and the scope of additional services.
- Researchers found extended validation certificates packaged with services to support malicious websites such as Google-indexed “aged” domains, after-sale support, web design services, and integration with a range of payment processors – including Stripe, PayPal and Square.
- At least one vendor on BlockBooth promises to issue certificates from reputable Certificate Authorities along with forged company documentation – including DUNS numbers. This package of products and services allows attackers to credibly present themselves as a trusted US or UK company for less than $2,000.
One representative search of these five marketplaces uncovered 2,943 mentions for “SSL” and 75 for “TLS.” In comparison, there were just 531 mentions for “ransomware” and 161 for “zero days.”
It was also evident that some marketplaces – such as Dream Market – appear to specialize in the sale of TLS certificates, effectively providing machine-identity-as-a-service products. In addition, researchers found that certificates are often packaged with other crimeware, including ransomware.
“This study found clear evidence of the rampant sale of TLS certificates on the dark net,” said Kevin Bocek, vice president of security and threat intelligence for Venafi.
“TLS certificates that act as trusted machine identities are clearly a key part of cybercriminal toolkits – just like bots, ransomware and spyware. There is a lot more research to do in this area, but every organization should be concerned that the certificates used to establish and maintain trust and privacy on the internet are being weaponized and sold as commodities to cybercriminals.”