In May last year, the PCI Security Standards Council asked all e-commerce platforms and those carrying out transactions online to migrate from existing SSL/early TLS protocols to a more secure TLS v1.2 or higher, stating that SSL/early TLS were no longer considered secure forms of encryption for payment card data.
The Council observed that even though SSL, an encryption system that protected the privacy of data exchanged by a website and the individual user, had been succeeded by Transport layer security (TLS), it continued to be used by a large number of organisations.
“Because of its widespread use online, SSL/early TLS has been targeted by security researchers and attackers. Many serious vulnerabilities in SSL/early TLS (e.g. POODLE, BEAST, CRIME, Heartbleed) have been uncovered over the past 20 years, making it an unsafe method for protecting sensitive data,” the PCI Security Standards Council said.
Despite the advisory, a large number of organisations are still using SSL/TLS certificates for their websites, emails and file transfers and are yet to migrate to more secure TLS v1.2 or higher versions. By doing so, they are placing themselves and their customers at great risk as modern hackers can easily exploit vulnerabilities in such certificates or obtain trusted certificates to spoof organisations and customers.
SSL/TLS certificates readily available on Tor markets
According to a new report from Venafi, SSL/TLS certificates, along with a range of related services and products, are now easily available on Dark Web marketplaces. Venafi observed the sale of trusted SSL/TLS certificates on five Tor network markets and these were priced between $260 and $1,600, depending on the type of certificate offered and the scope of additional services.
By using these certificates readily available on the Tor network, cyber criminals can spoof websites, eavesdrop on encrypted traffic, perform man-in-the-middle attacks and steal sensitive data.
“One very interesting aspect of this research was seeing TLS certificates packaged with wrap-around services – such as web design services – in order to give attackers immediate access to high levels of online credibility and trust. It was surprising to discover how easy and inexpensive it is to acquire extended validation certificates, along with all the documentation needed to create very credible shell companies without any verification information,” said security researcher David Maimon who authored the report.
The report further revealed that the demand for SSL/TLS certificates by cyber criminals is such that there were at least 2,943 mentions for “SSL” and 75 for “TLS” on the five Tor marketplaces compared to just 531 mentions for ransomware and 161 for zero days. One vendor on the markets was even found selling certificates from reputable Certificate Authorities along with forged company documentation such as DUNS numbers. This package allows attackers to credibly present themselves as a trusted U.S. or U.K. company.
“TLS certificates that act as trusted machine identities are clearly a key part of cybercriminal toolkits – just like bots, ransomware and spyware. There is a lot more research to do in this area, but every organization should be concerned that the certificates used to establish and maintain trust and privacy on the internet are being weaponized and sold as commodities to cybercriminals,” said Kevin Bocek, vice president of security and threat intelligence for Venafi.