Analysis reported on Bleeping Computer that during the past year, Let’s Encrypt has issued a total of 15,270 SSL certificates that contained the word “PayPal” in the domain name or the certificate identity.
“Of these, approximately 14,766 (96.7%) were issued for domains that hosted phishing sites, according to an analysis carried out on a small sample of 1,000 domains, by Vincent Lynch, encryption expert for The SSL Store.
His findings reveal how phishers gradually tested if they could get, deploy, and keep hold of Let’s Encrypt certificates for malicious websites.
Around October and November last year, the floodgates opened, and the number of Let’s Encrypt SSL certificates issued for PayPal-themed phishing sites increased in a dramatic fashion.”
The article contains useful insight and images which show a fake PayPal site vs a genuine one. Although the fake sites will usually be spotted and taken down within a couple of days, this is often enough time to do some damage. Ilia Kolochenko, CEO at Web Security Company High-Tech Bridge commented below.
Ilia Kolochenko, CEO at High-Tech Bridge:
“I think we should separate HTTP traffic encryption and website identity verification questions. Let’s Encrypt’s mission is to globally convert plaintext HTTP traffic to encrypted HTTPS traffic, and they are doing it pretty well. Nonetheless, they should have foreseen massive abuse by phishers, and implement at least some basic security verifications, such as refusing SSL certificates for domains that contain popular brand names inside.
Speaking particularly about the phishing problem, I think web browsers marking any HTTPS website as secure – are more responsible for the problem. Web browsers encourage users to blindly trust the HTTPS websites’ security without any justifiable reason, failing to mention that it’s only about channel encryption and almost nothing about website trustworthiness or web application security. Therefore, now it’s difficult to measure whose carelessness contributed more to the skyrocketing phishing campaigns.
Last but not least, the idea of encrypting all web traffic remains questionable, as it allows malware to easily bypass various security mechanisms more efficiently, causing huge damage to the end users and companies. I am quite sure that if we will see how many of Let’s Encrypt SSL certificates are used by malware to exfiltrate stolen data – results will be pretty scary. Therefore, it’s difficult to predict how Let’s Encrypt will shape its growth strategy in the future to preclude cybercriminals from abusing its desire to make the web safer.”