Skip to main content
banner image
venafi logo

PayPal Phishing Fiascos: Protecting Yourself from Fraudulent Certificates

PayPal Phishing Fiascos: Protecting Yourself from Fraudulent Certificates

PayPal phishing fiasco
March 30, 2017 | Emil Hanscom

In late March, encryption experts affiliated with the SSL Store released a report on fraudulent certificates issued by Let’s Encrypt. According to researcher Vincent Lynch, Let’s Encrypt issued 15,270 certificates containing the word “PayPal” between January 1st, 2016 and March 6th, 2017. However, Lynch writes: “based on a random sample, 96.7% of these certificates were intended for use on phishing sites.”

As I mentioned in a previous blog post, encryption adoption is certainly on the rise. In fact, the Let’s Encrypt issued certificates to over 21 million websites last year. Encryption usage is often seen as a positive security step, but the reality is not so clear. As Lynch puts it: “encrypting everything includes the bad sites, and the widespread use of HTTPS on malicious sites has been a concern for some.”

Simply put: as encryption becomes more prevalent, so do the cyber criminals who abuse it. When Mozilla reported that half of the web traffic on FireFox was encrypted, Zscaler revealed that 54% of the threats blocked by their product line hid in SSL traffic.

According to Kevin Bocek, chief security strategist for Venafi: “As the speed of certificate issuance accelerates and hackers automate their attacks, the risk for malicious certificates will continue to increase. This problem will only get worse."

Now, Let’s Encrypt is not the only Certificate Authority facing these kinds of issues. “Everyone has been trained to look for the padlock in their browser – cyber criminals are catching up and using the power and trust of digital certificates against us,” says Bocek. “This issue, however, is not limited to just Let’s Encrypt. Many other CAs have been challenged to stop fraud.” 

So how can organizations protect themselves? Bocek recommends enterprises use technologies like Certificate Reputation to identify machines using malicious or rogue certificates: “Certificate Reputation uses data from Certificate Transparency logs, along with analytics and machine learning, to score certificates. Certificate Reputation services also help enterprises identify certificates issued in their own name, whether they’re purchased on the inside by marketing or obtained fraudulently by cyber criminals.”

Ultimately, encryption is a tool. It is not inherently good or bad. And its success as a tool is dependent on the user. Organizations can easily utilize encryption to make themselves and their ecosystems safer, but they must take additional steps to protect themselves from abuse.

What steps do you take to protect yourself from fraudulent certificates? 

Like this blog? We think you will love this.
Featured Blog

How DoS/DDoS Attacks Impact Machine Identity, Digital Certificates

For safe and secure utilization of machine identities such as SSL/TLS cer

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Emil Hanscom
Emil Hanscom

Emil is the Public Relations Manager at Venafi. Passionate about educating the global marketplace about infosec and machine-identity issues, they have consistently grown Venafi's global news coverage year over year.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more