Security Experts:

Connect with us

Hi, what are you looking for?


Network Security

Let’s Encrypt’s Free Certificates Abused by Cybercriminals

Security certificates from the free certificate authority (CA) Let’s Encrypt are being abused by cybercriminals in a malvertising campaign, Trend Micro has discovered.

Security certificates from the free certificate authority (CA) Let’s Encrypt are being abused by cybercriminals in a malvertising campaign, Trend Micro has discovered.

The Let’s Encrypt initiative was proposed by the Electronic Frontier Foundation (EFF) and is backed by many web companies, including Mozilla, Cisco, Facebook, Akamai, Automattic, IdenTrust, the Linux Foundation, the University of Michigan, and others. The goal of the CA is to eliminate fees associated with certificate issuance, thus determining site owners to secure their domains.

The CA also helps site owners set up the certificates and manage them, and also announced that it would automatically renew them when they expire. Additionally, Let’s Encrypt issues only domain-validated certificates, without offering extended validation (EV) certificates, which usually require additional checks regarding the identity of the site owner.

Let’s Encrypt issued its first digital certificate  in mid-September 2015, and entered an invitation-based private beta testing phase around the same time. On Dec. 3, 2015, it announced the public beta phase, which eliminated the need for an invitation to join the testing process and receive free certificates from it.

As Trend Micro’s Joseph Chen notes in a blog post, while the potential for Let’s Encrypt to be abused has always been present, the first sites to do so was uncovered on Dec. 21. The security firm observed a campaign that redirected users to the Angler Exploit Kit, which in turn downloaded a banking Trojan, and activity was observed going to a malvertising server, with traffic coming from users in Japan.

The attack is believed to be the continuation of a malvertising campaign that was identified in September of last year, which was also targeting Japanese users. The cybercriminals behind the campaign used domain shadowing to carry out attacks, a technique that involves creating subdomains under a legitimate domain, with the subdomains leading to a server under the control of the attackers.

In this particular case, the attackers created ad.{legitimate domain}.com under the legitimate site, with traffic to the subdomain being protected with the HTTPS protocol and a Let’s Encrypt certificate. The security researchers discovered on the domain an ad that appeared to be related to the legitimate domain, but which instead was used to disguise traffic.

Trend Micro also discovered that some parts of the redirection script were moved from a JavaScript file into a .GIF file, thus making it more difficult to identify the payload. However, the company also found anti-antivirus code similar to the one identified in the September campaign, and discovered that the attack used an open DoubleClick redirect tactic.

As Chen notes, any technology meant for good can be abused by cybercriminals, and Let’s Encrypt is no exception. The problem is that an attacker can create subdomains under a legitimate domain name, which results in a CA that automatically issues certificates specific to these subdomains actually helping cybercriminals in their nefarious activities.

He also explains that Let’s Encrypt checks domains only against the Google safe browsing API, and that they already said that they do not believe CAs should act as content filters. However, he also states that website owners should be able to secure their own website control panels so that no new subdomains they cannot control are created without their knowledge.

To keep users secure, browser makers, CAs, and anti-virus companies should actively engage into blocking bad actors, Chen adds. While CAs should be willing to cancel inadvertently issued certificates, users should also be aware of the fact that secure sites are not necessarily safe, and that they need to keep their software up to date at all times to minimize the attack surface for exploit kits.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud,...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...