Certificate authorities duped to sell legitimate digital certificates that can spread malware

• The certificates thus bought, are sold on the black market to potential buyers.
• Bad actors impersonate company executives to deceive certificate authorities into selling them legitimate digital certificates.

Researchers have identified a new kind of certificate fraud that involves the purchasing of legitimate digital certificates that could be used to spread malware. The certificates thus bought, are sold on the black market to potential buyers.

What are the aspects?

Security firm ReversingLabs has discovered that bad actors are impersonating company executives to deceive certificate authorities into selling them legitimate digital certificates.

• Once purchased, theses digital certificates are sold on the black market for digitally signing malicious files, mainly adware.
• Researchers note that certificates are valuable resources as they reduce the chance of early malware detection. This can be beneficial for financially motivated actors.

How does it happen?

The fraud attack begins with the reconnaissance phase in which threat actors select the right target to impersonate. For this, they have to trawl through publicly available information.

“A person well-established in their industry, with easily verifiable history is a preferred target. Since the goal is to acquire a code signing certificate, the perfect victim is someone working in the software industry,” note the researchers in a blog post.

Social media sites such as LinkedIn are a viable place to search these targets. Once identified, threat actors, scrap the details from their public LinkedIn profile page in order to pass their identity validation process.

Validating a domain

Researchers note that the attackers aim to use the top-level domain to mislead the certificate authority during their identity validation process.

“The gamble is that the person verifying the certificate issuance request will assume that the same company owns both the global .COM and the regional .CO.UK domains for their business, reads the analysis published by experts.

Final execution step

When the infrastructure is in place, threat actors then proceed to purchase the certificates and verify them. The verification is done using public antivirus scanning services.

“There is less verification for non-extended validation certificates, and the attacker already has everything required to purchase one for the impersonated identity. The only thing that remains is passing the certificate authority identity verification,” highlight the researchers.

After the order has been placed and the payment has been made, it only takes a few days for the purchase to be fulfilled. The payment can be done through Skrill, PayPal, and WebMoney.