Researchers have uncovered a thriving underground market in TLS certificates sold on their own and packaged with crimeware to help launch a range of attacks.
Sponsored by Venafi, the SSL/TLS Certificates and Their Prevalence on the Dark Web report was carried out by researchers at the Evidence-based Cybersecurity Research Group at the Andrew Young School of Policy Studies, Georgia State University and the UK’s University of Surrey.
It revealed that, although SSL/TLS certificates are essential to protecting user privacy and security and enhancing digital trust, they are also an attractive target for hackers.
The researchers observed a steady influx of certs on five TOR-based dark web markets — Dream Market, Wall Street Market, BlockBooth, Nightmare Market and Galaxy3. Some, like Dream Market, specialized in the sale of SSL/TLS certificates for use in attacks.
Prices ranged from $260 to $1600, depending on the type of certificate offered and the scope of additional services, which could include malicious websites and ransomware.
Researchers also found extended validation (EV) certificates packaged up with services to support malicious websites including Google-indexed “aged” domains, after-sale support, web design services, and integration with payment tools including PayPal and Square.
For less than $2000, a hacker can buy packages from a seller on BlockBooth which include certificates from “reputable” Certificate Authorities and forged company documents including a unique corporate DUNS number for UK and US firms, the report revealed.
The insight reveals the extent to which hackers are abusing the trust system that underpins the internet.
“One very interesting aspect of this research was seeing TLS certificates packaged with wrap-around services — such as web design — in order to give attackers immediate access to high levels of online credibility and trust,” said report author David Maimon of the Evidence-based Cybersecurity Research Group.
“It was surprising to discover how easy and inexpensive it is to acquire extended validation certificates, along with all the documentation needed to create very credible shell companies without any verification information.”
Venafi vice president of security and threat intelligence, Kevin Bocek, warned that TLS certs are effectively being weaponized and sold as commodities by hackers.
“TLS certificates that act as trusted machine identities are clearly a key part of cyber-criminal toolkits — just like bots, ransomware and spyware,” he added.