Skip to main content
banner image
venafi logo

PayPal Phishing Fiascos: Protecting Yourself from Fraudulent Certificates

PayPal Phishing Fiascos: Protecting Yourself from Fraudulent Certificates

March 30, 2017 | Eva Hanscom

In late March, encryption experts affiliated with the SSL Store released a report on fraudulent certificates issued by Let’s Encrypt. According to researcher Vincent Lynch, Let’s Encrypt issued 15,270 certificates containing the word “PayPal” between January 1st, 2016 and March 6th, 2017. However, Lynch writes: “based on a random sample, 96.7% of these certificates were intended for use on phishing sites.”

As I mentioned in a previous blog post, encryption adoption is certainly on the rise. In fact, the Let’s Encrypt issued certificates to over 21 million websites last year. Encryption usage is often seen as a positive security step, but the reality is not so clear. As Lynch puts it: “encrypting everything includes the bad sites, and the widespread use of HTTPS on malicious sites has been a concern for some.”

Simply put: as encryption becomes more prevalent, so do the cyber criminals who abuse it. When Mozilla reported that half of the web traffic on FireFox was encrypted, Zscaler revealed that 54% of the threats blocked by their product line hid in SSL traffic.

According to Kevin Bocek, chief security strategist for Venafi: “As the speed of certificate issuance accelerates and hackers automate their attacks, the risk for malicious certificates will continue to increase. This problem will only get worse."

Now, Let’s Encrypt is not the only Certificate Authority facing these kinds of issues. “Everyone has been trained to look for the padlock in their browser – cyber criminals are catching up and using the power and trust of digital certificates against us,” says Bocek. “This issue, however, is not limited to just Let’s Encrypt. Many other CAs have been challenged to stop fraud.” 

So how can organizations protect themselves? Bocek recommends enterprises use technologies like Certificate Reputation to identify machines using malicious or rogue certificates: “Certificate Reputation uses data from Certificate Transparency logs, along with analytics and machine learning, to score certificates. Certificate Reputation services also help enterprises identify certificates issued in their own name, whether they’re purchased on the inside by marketing or obtained fraudulently by cyber criminals.”

Ultimately, encryption is a tool. It is not inherently good or bad. And its success as a tool is dependent on the user. Organizations can easily utilize encryption to make themselves and their ecosystems safer, but they must take additional steps to protect themselves from abuse.

What steps do you take to protect yourself from fraudulent certificates? 

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

man sitting on chair and thinking

Venafi Study: Are Financial Service Organizations More Likely to Suffer Certificate-Related Outages?

accessec, APIIDA, Crypto4A, Difenda

Six Groundbreaking Machine Identity Protection Developers Gain Funding

code signing certificates, Code Signing, Stuxnet, ShadowHammer

Study: How Well Are You Protecting Code Signing Certificates?

About the author

Eva Hanscom
Eva Hanscom

Eva Hanscom writes for Venafi's blog and is an expert in machine identity protection.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat