Skip to main content
banner image
venafi logo

Cybercrime’s Favorite Halloween Costume? [Trusted Certificate]

Cybercrime’s Favorite Halloween Costume? [Trusted Certificate]

cybercrime and certificate misuse
October 30, 2019 | Scott Carter

So, it’s that time of year where we’re stuck trying to figure out which costume to wear this Halloween season. But for cyber criminals, it may not be that difficult of a choice. Most simply opt for the costume that gives them the biggest bang for the buck. Why not dress up as a legitimate company using TLS certificates? When your malicious website sports a trusted certificate, you’ll appear to be on the up and up. But what’s really scary is that that most people will assume that you aren’t dressed up at all.

Attackers have long been using TLS channels as part of a full attack cycle, from delivering exploits and payloads to pointing victims to phishing pages or compromised sites in a bid to fake authenticity. To fuel this appetite for trust, there is a bourgeoning market for TLS certificates on the Dark Web, where cyber attackers are willing to pay top dollar for them. Venafi research found that attackers are willing to pay up to $2000 for a code signing certificate on the Dark Web.



And to date, criminals have been relatively successful in wearing this type of TLS costume to hide big attacks, such as the Zeus botnet. And this year, at least one cybercriminal is dressed up as the United Nations. Indeed, cyber criminals are impersonating legitimate Microsoft Office 365 login pages on mobile devices in a phishing campaign that targets organizations, such as the United Nations, UNICEF and UN World Food. 


According to BleepingComputer, “Targeting mobile users is a well-known tactic used by phishers given that the mobile web browsers will help them obfuscate the phishing URLs by truncating them, thus making it a lot harder for their targets to discover that they are under attack.”

And here’s where the TLS costume really gets nefarious, notes Kevin Bocek, vice president, of security strategy and threat intelligence at Venafi. “These latest attacks targeting United Nations and global charity websites use TLS certificates to make malicious domains appear legitimate, they take advantage of the implicit trust users have in the green padlock created by TLS certificates. Internet users have been trained to look for a green padlock when they visit websites, and bad actors are using SSL/TLS certificates to impersonate all kinds of organizations.”

In this video, Kevin pulls back the cover on a thriving TLS dark web enterprise. Cybercriminals will pay more for machine identities than for human identities now, so a stolen TLS certificate is worth more than you think. 




Bocek also warns that while this technique may appear sophisticated, these types of phishing attacks are very common. For example, in 2017, security researchers uncovered over 15,000 certificates containing the word ‘PayPal’ that were being used in attacks. And in June, the FBI issued a warning stating that the green padlock on websites doesn’t mean the domain is trustworthy and safe from cyber criminals. 


In order to protect businesses and users, security teams must identify all the legitimate TLS certificates on their own networks. They also need to identify fraudulent certificates issued by attackers that are being used to impersonate their organization. Bocek advises that “Technologies like certificate transparency and certificate reputation can definitely help, but as the number of certificates issued every day continues to skyrocket, more help is definitely needed.”

Who is dressing up as your website this Halloween?




Related posts



Like this blog? We think you will love this.
attaques de décapage ssl
Featured Blog

En quoi consistent les attaques SSL strip ?

  Un peu d'histoire

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Scott Carter
Scott Carter

Scott is Senior Manager for Content Marketing at Venafi. With over 20 years in cybersecurity marketing, his expertise leads him to help large organizations understand the risk to machine identities and why they should protect them

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more