Malvertisers used a HTTPS certificate to trick users to download a trojan
Today, we cane across a rather interesting yet shocking report, about how some malvertisers are using a HTTPS certificate to trick users.
Malvertising, aka malware in online advertisements, is a serious problem. Google and Microsoft stepped up their efforts to combat such online threats. The two companies updated their ad policies, to strictly disallow malicious and misleading ads in their ad services.
A popular online safety practice, is to use the HTTPS protocol. This secure encryption protocol is the one used for most personal services like email, social networking, online banking, shopping etc.
The way a web browser identifies whether a website is HTTP (insecure) or HTTPS, is by verifying the website’s digital certificate which contains a cryptographic key. This is usually issed by a certificate authority, and this process isn’t free, which is why many websites don’t opt for one.
You see the padlock icon next to the address bar, and the word HTTPS in the URL, so the website is safe becauses it uses encryption, right? Not always, at least that’s what TrendMicro has discovered.
Let’s Encrypt, is an SSL certificate authority, which issues the HTTPS certificates for free, unlike most services do. It’s actually still in a beta phase, and is backed by several organisations such as the EFF, Facebook, Mozilla, Cisco and more, in a bid to make the internet more secure.
The probelem is that,Let’s Encrypt does not check the identity of the website’s owner, which is necessary for extended validation certifications, and instead issues the basic domain-validated certificates. This can be misused by malicious websites, and that is exactly what has happened.
Some attackers took control of a legitimate website, and created a sub-domain under it, and this was used to obtain an SSL certificate from Let’s Encrypt. The attackers then used this to host a malvertising campain, which redirected visitors to websites which contained the Angler Exploit Kit, and this in turn downloaded a banking Trojan on the user’s PC, to phish them.
Do note, that this isn’t Let’s Encrypt’s fault. It could happen with any other certificate issuer, as most normally give the green signal for sub-domains of good websites.
Granted that the malware campaign only affected users in Japan, but this incident does bring into light, the bitter truth, how even HTTPS certificates can be misused for spreading infections.