Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations //

Identity & Access Management

3/6/2019
07:40 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Dark Web Investigation Exposes Underground Marketplace for TLS/SSL Certificates

Venafi study uncovers thriving marketplaces for TLS certificates sold individually and packaged with a wide range of crimeware.

RSA Conference Booth 6359 — Venafi®, the leading provider of machine identity protection, today announced the first set of findings from an academic study of the availability of SSL/TLS certificates on the dark web, and their role in the cybercrime economy. The research, sponsored by Venafi and undertaken by researchers at the Evidence-based Cybersecurity Research Group at the Andrew Young School of Policy Studies at Georgia State University and the University of Surrey, uncovered thriving marketplaces for TLS certificates sold individually and packaged with a wide range of crimeware. Together these services deliver machine-identities-as-a-service to cybercriminals who wish to spoof websites, eavesdrop on encrypted traffic, perform man-in-the-middle attacks and steal sensitive data.

“One very interesting aspect of this research was seeing TLS certificates packaged with wrap-around services – such as web design services – in order to give attackers immediate access to high levels of online credibility and trust,” said security researcher and report author David Maimon, associate professor and director of the Evidence-based Cybersecurity Research Group. “It was surprising to discover how easy and inexpensive it is to acquire extended validation certificates, along with all the documentation needed to create very credible shell companies without any verification information.”

Key study findings include:

Five of the Tor network markets observed, offer a steady supply of SSL/TLS certificates, along with a range of related services and products.

Prices for certificates vary from $260 to $1,600, depending on the type of certificate offered and the scope of additional services.

Researchers found extended validation certificates packaged with services to support malicious websites such as Google-indexed “aged” domains, after-sale support, web design services, and integration with a range of payment processors – including Stripe, PayPal and Square.

At least one vendor on BlockBooth promises to issue certificates from reputable Certificate Authorities along with forged company documentation – including DUNS numbers. This package of products and services allows attackers to credibly present themselves as a trusted U.S. or U.K. company for less than $2,000.

One representative search of these five marketplaces uncovered 2,943 mentions for “SSL” and 75 for “TLS.” In comparison, there were just 531 mentions for “ransomware” and 161 for “zero days.” It was also evident that some marketplaces – such as Dream Market – appear to specialize in the sale of TLS certificates, effectively providing machine-identity-as-a-service products. In addition, researchers found that certificates are often packaged with other crimeware, including ransomware.

“This study found clear evidence of the rampant sale of TLS certificates on the dark net,” said Kevin Bocek, vice president of security and threat intelligence for Venafi. “TLS certificates that act as trusted machine identities are clearly a key part of cybercriminal toolkits – just like bots, ransomware and spyware. There is a lot more research to do in this area, but every organization should be concerned that the certificates used to establish and maintain trust and privacy on the internet are being weaponized and sold as commodities to cybercriminals.”

To download a copy of the report, please visit: https://www.venafi.com/TLS-Certificates-and-Their-Prevalence-on-the-Darknet

Research Design and Methodology

To accomplish the research objectives, researchers dove into online markets and hacker forums that were active on the Tor network, I2P and the Freenet from October 2018 to January 2019 and searched for “for sale” ads of compromised, fake and forged TLS certificates. During this period, the research team conducted 16 weekly searches, discovering nearly 60 relevant online markets webpage on Tor and 17 webpages on I2P. Researchers reviewed the listings in detail and, in some cases, engaged in conversation with sellers to gain a better understanding of the goods and services being sold.

About Venafi

Venafi is the cybersecurity market leader in machine identity protection, securing machine-to-machine connections and communications. Venafi protects machine identity types by orchestrating cryptographic keys and digital certificates for SSL/TLS, IoT, mobile and SSH. Venafi provides global visibility of machine identities and the risks associated with them for the extended enterprise – on premises, mobile, virtual, cloud and IoT – at machine speed and scale. Venafi puts this intelligence into action with automated remediation that reduces the security and availability risks connected with weak or compromised machine identities while safeguarding the flow of information to trusted machines and preventing communication with machines that are not trusted.

With over 30 patents, Venafi delivers innovative solutions for the world's most demanding, security-conscious Global 5000 organizations and government agencies, including the top five U.S. health insurers; the top five U.S. airlines; four of the top five U.S., U.K., Australian and South African banks; and four of the top five U.S. retailers. Venafi is backed by top-tier investors, including TCV, Foundation Capital, Intel Capital, QuestMark Partners, Mercato Partners and NextEquity.

For more information, visit: www.venafi.com.

About the Evidence-based Cybersecurity Research Group at the Andrew Young School of Policy Studies at Georgia State University

Cyber-dependent crimes have become a major concern for governmental, commercial, and financial institutions around the globe, as well as for private individuals who use computer technology and the internet for leisure, shopping, and work.

Extensive research has examined and proposed ways to prevent the development of cyber-dependent crimes. However, it is still unclear whether commonly used interventions can prevent online offenders from engaging in crimes like hacking, spreading malware, and launching Distributed Denial of Service attacks.

The Evidence-based Cybersecurity Research Group at the Andrew Young School of Policy Studies at Georgia State University seeks to produce empirical evidence and provide systematic reviews of existing empirical research regarding the potential effect of existing cyber security policies and tools in preventing the development and progression of cyber-dependent crimes.

For more information, visit: https://ebcs.gsu.edu

Contact: Shelley Boose [email protected] 408.398.6987

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
For Cybersecurity to Be Proactive, Terrains Must Be Mapped
Craig Harber, Chief Technology Officer at Fidelis Cybersecurity,  10/8/2019
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17593
PUBLISHED: 2019-10-14
JIZHICMS 1.5.1 allows admin.php/Admin/adminadd.html CSRF to add an administrator.
CVE-2019-17594
PUBLISHED: 2019-10-14
There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
CVE-2019-17595
PUBLISHED: 2019-10-14
There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
CVE-2019-14823
PUBLISHED: 2019-10-14
A flaw was found in the "Leaf and Chain" OCSP policy implementation in JSS' CryptoManager versions after 4.4.6, 4.5.3, 4.6.0, where it implicitly trusted the root certificate of a certificate chain. Applications using this policy may not properly verify the chain and could be vulnerable to...
CVE-2019-17592
PUBLISHED: 2019-10-14
The csv-parse module before 4.4.6 for Node.js is vulnerable to Regular Expression Denial of Service. The __isInt() function contains a malformed regular expression that processes large crafted input very slowly. This is triggered when using the cast option.