While extending HTTP encryption to many websites since it launched in public beta early December, Let’s Encrypt has also been used by cybercriminals to provide apparent legitimacy to malvertising attacks, according to Trend Micro.
A blog published Wednesday by Trend Micro fraud researcher Joseph C. Chen shows a malvertising campaign in the wild in late December in which a malicious actor created a subdomain of a legitimate website with a Let’s Encrypt certificate.
On Dec. 21, Trend Micro observed traffic being routed from users in Japan to a malvertising server, leading users to sites hosting the Angler Exploit Kit, which then downloaded a banking Trojan. Researchers believe it is a adaptation of a malvertising campaign targeting Japanese users identified in September, now incorporating “domain shadowing.”
Trend Micro, which is also a certificate authority, acknowledges the potential for abuse that any technology, including SSL, but says part of the problem in this case is the limitations of domain-validated certificates, as opposed to extended validation certificates, which require identity checks and could identify the subdomain as having a different owner.
“Let’s Encrypt only checks domains that it issues against the Google safe browsing API; in addition, they have stated that they do not believe CAs should act as a content filter,” says Chen. “Security on the infrastructure is only possible when all critical players – browsers, CAs, and anti-virus companies – play an active role in weeding out bad actors. CAs should be willing to cancel certificates issued to illicit parties that have been abused by various threat actors.”
Trend Micro also suggests that website owners can prevent this type of attack by ensuring their control panels are secure. Users can keep software up to date to limit vulnerability, and also be aware of the difference between declaring a site “secure” and “safe.”
The Internet Security Research Group (ISRG), which manages the Let’s Encrypt project, has taken the position that it is not appropriate for certificate authorities to police content. An ISRG representative said that the sites in question seemed to have been taken down, and it will not revoke certificates from domains flagged as malicious by Google after the fact, InfoWorld reports.