Collective Intelligence Podcast, David Maimon on the Dark Web Market for SSL/TLS Certs
By Mike Mimoso
Compromised, stolen, or forged TLS and SSL certificates open many doors to profit for a cybercriminal. In parallel, they are also a precursor to difficult times for victims, who may find themselves conducting transactions on spoofed ecommerce sites that are given legitimacy by the padlock that symbolizes the presence of a legitimate certificate and an encrypted connection.
On the Deep & Dark Web (DDW), there exists an apparently thriving market for TLS and SSL certificates. Major underground markets and forums are selling or advertising compromised, stolen, or forged certs, with some of the leading underground shops mentioning their availability more often than ransomware and other higher-profile threats.
In this episode of the Collective Intelligence Podcast, David Maimon, an associate professor in Georgia State’s Andrew Young School of Policy Studies and director of the Evidence Based Cybersecurity Research Group at the university, describes the first stage of research into these markets.
Maimon was the lead author of a paper called “SSL/TLS Certificates and Their Prevalence on the Dark Web,” which describes the availability and volume of TLS and SSL certificates on the dark web, how they are packaged, and how they are sold to attackers. A threat actor with access to a certificate could sit man-in-the-middle and steal supposedly confidential and encrypted communication, or use them to spoof websites in order to steal personal information, payment card data, or credentials.
Throughout the podcast, Maimon describes the findings he and his colleagues Yubao Wu, Michael McGuire, Nicholas Stubler, and Zijie Qui discovered. The study examined more than 60 dark web markets, and found that on five of the leading markets, there is a consistent demand for SSL and TLS certificates, as well as related services and products such as SSL stripping tools. Such tools are used in HTTPS downgrade attacks that prevent browsers from using secure connections.
Within the top five markets, for example, the paper explains, there were more than 3,000 mentions for SSL and TLS combined, compared to slightly more than 500 for ransomware and 161 for zero-day exploits.
Certificates, Maimon said during the podcast, are also often sold alongside crimeware, or as part of a package of services wrapped around the cert, or within a kit for building a spoofed website. Some of these services include aged domains or support that includes integration with legitimate payment processors.
Maimon also discusses the state of the certificate ecosystem and hints at a deeper dive into this work in a second paper due later this summer.
The Collective Intelligence Podcast, presented by Flashpoint and hosted by Editorial Director Mike Mimoso, features regular interviews with a diverse set of industry experts and Flashpoint analysts on the latest information security news and industry trends.
Michael Mimoso brings over a decade of experience in IT security news reporting to Flashpoint. As Editorial Director, he collaborates with marketing, analyst, and leadership teams to share the company’s story. Prior to Flashpoint, Mike was as an Editor of Threatpost, where he covered security issues and cybercrime affecting businesses and end-users.
Prior to joining Threatpost, Mike was Editorial Director of the Security Media Group at TechTarget and Editor of Information Security magazine where he won several ASBPE national and regional writing awards. In addition, Information Security was a two-time finalist for national magazine of the year. He has been writing for business-to-business IT publications for 11 years, with a primary focus on information security.
Earlier in his career, Mike was an editor and reporter at several Boston-area newspapers. He holds a bachelor’s degree from Stonehill College in North Easton, Massachusetts.