A clone for the social news aggregation website Reddit is using an SSL certificate to lull users into a false sense of security so that they'll hand over their login credentials.
Software engineer Alec Muffett came across the phishing site on 4 February. It leverages typosquatting, otherwise known as URL hijacking, to try to steal the usernames and passwords of people who misspell "reddit.com" in the address bar.
The domain for this Reddit clone is "reddit[dot]co," ".co" being the country code top-level domain (ccTLD) assigned to Columbia.
HEADSUP: Looking for infosec people at @Reddit. Website at (phishing?) domain reddit(.)co — using the Colombian TLD — was acting a pitch-perfect apparent MITM of the actual Reddit. Now returning 500 before I could screenshot it. Domain ownership is as-follows: pic.twitter.com/hpucMroumd— Alec Muffett (@AlecMuffett) February 5, 2018
A visitor to the fake Reddit sees a home page that looks a lot like the actual news aggregation website. The clone is even protected with an SSL certificate, which bolsters that sense of legitimacy. But don't be fooled; clicking on any of the non-image features reveals a 500 Internal Server Error status code.
Cybercriminals are phishing with TLS certificates found on the Dark Web. Find out more.
With that said, anyone who submits their login credentials to the fake site can bet its domain owner will steal them and possibly try to reuse them across other platforms.
Gizmodo reports that someone first registered "reddit[dot]co" in July 2010 some five years after the real Reddit was born. Owners of the misleading domain have used the site for various purposes since then, including hosting Flash-based games and adult videos.
It appears someone in London is the most recent registrant of the site. But according to International Business Times, an IP address linked to the page would have researchers believe the domain owner is based in Ukraine. Wherever they're located, the fraudster obtained an SSL certificate from Comodo. (The actual Reddit website uses certificates issued by DigiCert.)
Kevin Bocek, VP of Security Strategy & Threat Intelligence at Venafi, told Help Net Security that Reddit isn't the only site bad actors have impersonated using a certificate:
“It's not just sites like Reddit.co – last year over 14,000 certificates were used to set up phishing sites spoofing PayPal alone. This shows the power of the padlock for cybercriminals, allowing them to appear trusted while tricking unsuspecting victims out of their data and damaging brand reputations across the internet…. This attack is part of a much larger problem that jeopardizes the system of trust used throughout the internet and shows why a new system of trust built on reputation is needed. The answer is certificate reputation scoring to help people know what can and can’t be trusted.”
Still waiting for @Google #SafeBrowsing to block the fake @Reddit ; I'm not sure how long it should take to update, so this is an interesting experiment. It was reported last night UK time. pic.twitter.com/T3YF1etvCG— Alec Muffett (@AlecMuffett) February 5, 2018
To make sure visitors can always trust their websites, organizations need to monitor their certificates for signs of abuse. They can do so by investing in a solution that helps them inventory and track every certificate in their encryption environment.