Skip to main content
banner image
venafi logo

Have Cyber Attackers Impersonated Microsoft’s Domain with Bogus Certificates?

Have Cyber Attackers Impersonated Microsoft’s Domain with Bogus Certificates?

Have Cyber Attackers Impersonated Microsoft’s Domain with Bogus Certificates?
May 8, 2019 | Guest Blogger: Kim Crawley

A lot of interesting finds can be discovered on Twitter. A security researcher found a webpage on Microsoft.net for Office 365 that uses a TLS certificate which appears to be very suspicious.
 


 

What’s that *.blob.core.windows.net subdomain?
 


 

JavaScript code related to the page sends a user’s sensitive authentication credentials to kopcamveanya.com.
 


 

I decided to take the plunge and see what the website hosted through the kopcamveanya.com was all about. It appeared to be a Turkish retailer of some sort.
 


 

I plugged their “About” page into Google Translate, as I don’t understand Turkish.
 


 

I can only speculate as to what’s going on with Microsoft’s domain and the domain of this Turkish glass retailer. But most likely Microsoft is being impersonated by cyber attackers. Microsoft is one of the biggest tech companies in the world. Even if you prefer to use Macs or Linux, I can pretty much guarantee that you’ve directly used their software at some point. And we also use their software indirectly through platforms like Microsoft IIS web servers, Windows Server operating systems, and Microsoft Azure cloud servers. They may have started on the client frontend in the 80s with MS-DOS and Windows, but for decades they have had a significant presence on the backend too. Their 2018 revenue was about $110.36 billion USD, and they employ many of the top minds in the computing industry. I’m confident that they wouldn’t knowingly collaborate with cyber attackers, and would think they’re securing their TLS certificates and all of their public key infrastructures like Fort Knox.
 

But the only reasonable assumption here is that cyber attackers have indeed impersonated their TLS systems and domain. And the *.blob.core.windows.net subdomain may be one that cyber attackers have created themselves. They may have been able to maliciously acquire some windows.net TLS certificates to modify for their own nefarious purposes. But more likely, they were able to generate TLS certificates for *.blob.core.windows.net completely on their own.
 

Now cybercriminals can phish you with real TLS/SSL certificates off the Dark Web. Find out more.
 

The JavaScript on what’s likely the cyber attacker’s phishing webpage for credentials collection isn’t obfuscated at all, because we can clearly see that passwords that go through that form are being sent to an address with the kopcamveanya.com domain.
 

Is the Turkish ecommerce site for glass retailing a front for cyber crime? Why is an online store being delivered through plaintext HTTP? I’m not going to try to buy something to see if customer transaction data is sent through HTTPS. Perhaps it isn’t. Perhaps it is. It’s not worth the risk for me.
 

I think the more probable scenario is that the Turkish glass retailer’s site isn’t a front for cyber crime, the cyber attackers may have hijacked the kopcamveanya.com domain to route their data transmissions. I mean, come on! A web store that uses HTTP?
 

Hopefully someone has reported this phishing incident to Microsoft.
 

The *.blob.core.windows.net subdomain in the cyber attackers’ TLS certificate marks it as a wildcard type. Any word can be used in the first part of the subdomain as * is a wildcard. It could be phishing.blob.core.windows.net, it could be fraud.blob.core.windows.net, it could be fooledya.blob.core.windows.net, it could be whatever you want.
 

Last October, David Bisson recommended that organizations cease using wildcard certificates. He wrote:
 

“Clearly, attackers are comfortable with using wildcard certificates for phishing emails attacks and other attacks. Fortunately, security controls and solutions can help block an attack. By putting these defenses in place, you increase the effort that a malicious actor must take to compromise your network. Your goal is to make compromising your network so expensive that cyber-criminals would rather focus their attention on someone else. As the saying goes: When a lion chases you, you don’t need to be the fastest runner; you just have to be faster than the person behind you.
 

You can make your organization more costly to exploit by avoiding wildcard certificates. Although wildcard certificates make business operations simpler, they provide tremendous opportunity to any cyber-criminal who compromises your webserver or steals a wildcard certificate’s private key.”
 

Maybe Microsoft got into the habit of using wildcard certificates and opened an exploit for cyber attackers who want to spoof their web apps and websites. As for the kopcamveanya.com website, there’s nothing about it that looks at all secure.


Learn more about machine identity protection. Explore now.

 

Related posts

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

quantum cryptography qubit image

Quantum Computing Threatens All Current Cryptography

trump encryption

Will the Trump Administration Succeed in Banning End-to-end Encryption?

HTTP, man-in-the-middle attack, HTTPS, TLS, TLS certificate, phishing attack

Can Attackers Use a New HTTP Exploit to Bypass Your TLS?

About the author

Guest Blogger: Kim Crawley
Guest Blogger: Kim Crawley
Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat