{"id":3756,"date":"2017-03-20T15:30:07","date_gmt":"2017-03-20T19:30:07","guid":{"rendered":"https:\/\/www.thesslstore.com\/blog\/?p=3756"},"modified":"2021-06-11T14:59:08","modified_gmt":"2021-06-11T18:59:08","slug":"lets-encrypt-phishing","status":"publish","type":"post","link":"https:\/\/www.thesslstore.com\/blog\/lets-encrypt-phishing\/","title":{"rendered":"PayPal Phishing Certificates Far More Prevalent Than Previously Thought"},"content":{"rendered":"

Over 14,000 SSL Certificates issued to PayPal phishing sites.<\/h2>\n

Earlier this month I discussed the use of Let\u2019s Encrypt certificates on PayPal phishing<\/a> sites. In that article I asked Let\u2019s Encrypt to stop issuing certificates containing the term \u201cPayPal\u201d because of the high likelihood they would be used for phishing.<\/p>\n

That requested stemmed from the fact that PayPal is a high value target and that Let\u2019s Encrypt had already issued nearly 1,000 certificates containing the term \u201cPayPal,\u201d more than 99% of which were intended for phishing sites.<\/p>\n

With expanded research, we found our previous claim was a major underestimate. Let\u2019s Encrypt has actually issued 15,270 \u201cPayPal\u201d certificates. This reveals the previously unknown extent of the Let\u2019s Encrypt phishing phenomenon.<\/p>\n

The Let’s Encrypt Phishing Connection<\/h2>\n

One of the primary fears voiced by critics of Let\u2019s Encrypt \u2013 a fear that predates the Certificate Authority\u2019s launch \u2013 was that the service would become the go-to CA for phishers because its SSL certificates were free. Let\u2019s Encrypt also has an unconventional stance on the role of the CA, arguing that it was not the CA\u2019s job to stop malicious sites from using its certificates. This meant that phishers and malware distributors were free to use Let\u2019s Encrypt without any risk of being banned or having their certificate revoked.<\/p>\n<\/span><\/span>\n

Despite the concerns of many around the industry, Let\u2019s Encrypt\u2019s stance is in full compliance with industry standards. Regardless, \u00a0that policy in combination with offering free certificates does create a very attractive environment for phishers.<\/p>\n

In my previous article I said Let\u2019s Encrypt had issued 988 certificates containing the word \u201cPayPal\u201d \u2013 for example, paypal.com.secure-alert.net. Typically, CAs would not issue certificates like this due to the likelihood they will be used to aid criminal activity.<\/p>\n

Of those 988, 99.5% of the certificates were being used (or had been used) for phishing. While this proved that there was wide-spread abuse, it was not at the scale many had expected when Let\u2019s Encrypt was first announced.<\/p>\n

We now have new data that captures the full extent of the \u201cPayPal\u201d certificates that have been issued by Let\u2019s Encrypt. This new data comes from crt.sh<\/a> \u2013 a search engine for certificate transparency logs \u2013 and reveals that the service has been significantly more popular with phishers than previously reported.<\/p>\n

Between January 1st<\/sup>, 2016 and March 6th<\/sup>, 2017, Let\u2019s Encrypt has issued a total of 15,270<\/span> SSL certificates containing the word \u201cPayPal.\u201d<\/strong><\/p>\n

This figure is more than ten times larger than previous estimates that have been published. The vast majority of this issuance has occurred since November – since then Let\u2019s Encrypt has issued nearly 100 \u201cPayPal\u201d certificates per day.<\/p>\n

Based on a random sample, 96.7% of these certificates were intended for use on phishing sites.<\/p>\n

The internet is currently moving from HTTP to HTTPS, spurred by a number of initiatives to \u201cencrypt everything.\u201d<\/a> Encrypting everything<\/em> includes the bad sites, and the widespread use of HTTPS on malicious sites has been a concern for some.<\/p>\n

For many years, the security industry as a whole incorrectly taught users to associate HTTPS and the green padlock with a \u201csafe\u201d site. This is a bad generalization, which may lead users to believe a phishing site is real if it is using SSL.<\/p>\n

In addition, Chrome\u2019s new UI displays \u201cSecure\u201d next to every site with a valid SSL certificate and HTTPS configuration. What\u2019s the chance that a user misconstrues the meaning of this and sees a phishing site as legitimate?<\/p>\n

\"PayPal<\/p>\n

While our research has focused on PayPal phishing, there are many other targets out there including Bank of America, Apple IDs, and Google. Let\u2019s Encrypt has issued thousands more<\/a> of these certificates.<\/p>\n

This new data clearly shows that use of HTTPS on phishing sites is significantly higher than previously thought.<\/p>\n

The Data<\/h2>\n

This section expands on our data and methodology.<\/p>\n

Our Source<\/strong><\/p>\n

Let\u2019s Encrypt submits all of the certificates it issues into certificate transparency logs<\/a>, a mechanism designed to increase public transparency into the activities of CAs. The logs also act as an excellent source for researchers who want to analyze a CA and the SSL certificate ecosystem.<\/p>\n

Not all CAs log their certificates, as this is currently an optional practice (though not for long<\/a>). Because Let\u2019s Encrypt voluntarily logs, it allows us to get very accurate data about its issuance activity.<\/p>\n

Last week we reported Let\u2019s Encrypt had issued 988 \u201cPayPal\u201d certificates. That figure came from the methodology used by previous works. Upon further research, we found that method was limited in scope and was capturing only a small portion of the population.<\/p>\n

Our new figure of 15,270 certificates comes from crt.sh, a Certificate Transparency search engine operated by Comodo<\/a>. That is the total number of certificates issued by Let\u2019s Encrypt that contain the word \u201cPayPal\u201d somewhere in the certificate\u2019s identities (either a Common Name or a SAN) between March 25th<\/sup>, 2016 and March 6th<\/sup>, 2017 (our search covers all of 2016, but no matching certificates were issued until March). This is a sub-string search that includes all hostnames containing \u201cPayPal\u201d anywhere within the name.<\/p>\n

Such a complete search is not possible through crt.sh\u2019s website because of the scale of the query. Rob Stradling, who developed crt.sh, queried the database directly and provided me with this data upon request.<\/p>\n

To compare Let\u2019s Encrypt to other CAs, we ran the same search for the same date range for other CAs included in crt.sh\u2019s database. During the same time period, all other CAs combined issued 461 \u201cPayPal\u201d certificates that were potentially used for phishing sites. This number excludes results that could be confidently ruled out as legitimate sites and services operated by PayPal.<\/p>\n

Because many CAs do not participate in certificate transparency, their certificates only appear in a log if a third-party decides to log them. Thus it is likely some \u201cPayPal\u201d certificates issued by other CAs have not been logged and therefore not counted. However, I believe the number is fairly accurate, and even if we are very generous with our margin of error, all other CAs combined represent less than 1\/10th<\/sup> of Let\u2019s Encrypt\u2019s volume of PayPal phishing certificates. This shows that the use of SSL certificates on PayPal phishing sites is directly tied to Let\u2019s Encrypt\u2019s entry into the market.<\/p>\n

Rate of Issuance<\/strong><\/p>\n

It took phishers some time to adopt Let\u2019s Encrypt as their CA of choice. Our search covered all certificates issued between January 1st<\/sup> 2016 and March 6th<\/sup>, 2017.<\/p>\n

\"PayPalLet\u2019s Encrypt has been issuing certificates since late 2015, when they were in a public beta. However, the first Let\u2019s Encrypt phishing\u00a0certificate for Paypal was not issued until March 25th<\/sup>, 2016. On the right is a per month breakdown.<\/p>\n

The number of PayPal certificates increased substantially in November 2016. There does not appear to be any specific cause for the increase. It may simply be that it took some time for word to spread amongst the phishing communities and for technical expertise to be developed.<\/p>\n

The various initiatives encouraging HTTPS are likely to appeal to phishers as well. There are a number of performance benefits (such as HTTP\/2) only available to sites using HTTPS. In addition, sites using valid SSL certificates are given trusted UI indicators by browsers (the padlock icon in all browsers, the \u201cSecure\u201d label in Chrome) which make a phishing site look more legitimate.<\/p>\n

In November, more than 1,000 \u201cPayPal\u201d certificates were issued for the first time. That number doubled in the following month and has increased month over month since then. February of this year has seen the highest issuance yet, with more than 5,000 certificates.<\/p>\n

Since November, when the amount of activity significantly increased, more than 100 \u201cPayPal\u201d certificates have been issued per day, on average.<\/p>\n

Based on the data available so far, this month (March 2017) will be the first full-month decline since June of 2016.<\/p>\n

Prevalence of Phishing<\/strong><\/p>\n

We estimate that 96.7% of the 15,270 certificates were (or are) used for phishing (that\u2019s 14,766 certificates). Most phishing sites are quickly reported to their web hosts and detected by services such as Safe Browsing and subsequently taken offline. Once flagged as dangerous, a phishing site becomes useless. The majority of the sites are not currently conducting any activity.<\/p>\n

To determine the ratio of phishing sites vs. legitimate ones, we took a random sample of 1000 certificates and reviewed them by hand. For the vast majority of certificates, the hostname made the purpose of the site clear. We avoided false positives by labeling sites as \u201clegitimate\u201d when we were unsure, and visited the sites when necessary.<\/p>\n

In our previously reported data we performed the same check on all the certificates. In that group of 988, only 4 of the sites were legitimate, giving us a phishing rate of 99.6%.<\/p>\n

In our new sample we found a phishing rate of 96.7%.<\/p>\n

Both cases show that nearly all \u201cPayPal\u201d certificates being issued by Let\u2019s Encrypt are intended for phishing, and legitimate users make up only a single-digit share.<\/p>\n

Conclusion<\/h2>\n

Assuming that current trends continue, Let\u2019s Encrypt will issue 20,000 additional<\/strong> \u201cPayPal\u201d certificates by the end of this year.<\/p>\n

Let\u2019s Encrypt takes a hands-off approach when it comes to moderating issuance and revoking certificates because it does not fit with its goal of encrypting every website.<\/p>\n

We do believe there are valid reasons for that approach, but question its indiscriminate application. After publishing our previous article we had a great discussion with the community on our website and on social media. There were many good rebuttals to my request that Let\u2019s Encrypt blacklist \u201cPayPal\u201d, and we now think there are other viable solutions to this problem and other end-goals to pursue.<\/p>\n

Our main goal in publishing these expanded figures is to show how popular the use of SSL is on phishing sites. If Let\u2019s Encrypt will issue upwards of 35,000 \u201cPayPal\u201d certificates by the end of 2017, there are likely tens of thousands more targeting other popular sites and services. The security community, and internet users at large, should be aware of the extent of this activity.<\/p>\n

The security community has previous speculated<\/a> about the use of SSL on malicious sites. We hope this data serves as early proof that there is widespread use, at least in the subcategory of phishing. Future studies of phishing should consider the potential benefits and appearance of legitimacy granted to phishing sites using HTTPS instead of HTTP.<\/p>\n\n","protected":false},"excerpt":{"rendered":"

Over 14,000 SSL Certificates issued to PayPal phishing sites. Earlier this month I discussed the use of Let\u2019s Encrypt certificates on PayPal phishing sites. In that article I asked Let\u2019s…<\/p>\n","protected":false},"author":2,"featured_media":3761,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":"","tve_updated_post":"","tve_custom_css":"","tve_user_custom_css":"","tve_globals":{},"tcb2_ready":0,"tcb_editor_enabled":0,"tve_landing_page":"","_tve_header":"","_tve_footer":""},"categories":[17],"tags":[145,305,166,467],"class_list":["post-3756","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-industry-lowdown","tag-lets-encrypt","tag-paypal","tag-phishing","tag-ssltls","post-with-tags"],"views":84113,"jetpack_featured_media_url":"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2017\/03\/iStock-502558349.jpg","_links":{"self":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/3756","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/comments?post=3756"}],"version-history":[{"count":0,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/3756\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media\/3761"}],"wp:attachment":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media?parent=3756"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/categories?post=3756"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/tags?post=3756"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}