Skip to main content
banner image
venafi logo

Reddit Clone Site Uses SSL Certificate to Lure Users into Handing Over Login Credentials

Reddit Clone Site Uses SSL Certificate to Lure Users into Handing Over Login Credentials

reddit phishing attack
February 14, 2018 | David Bisson

A clone for the social news aggregation website Reddit is using an SSL certificate to lull users into a false sense of security so that they'll hand over their login credentials.

Software engineer Alec Muffett came across the phishing site on 4 February. It leverages typosquatting, otherwise known as URL hijacking, to try to steal the usernames and passwords of people who misspell "reddit.com" in the address bar.

The domain for this Reddit clone is "reddit[dot]co," ".co" being the country code top-level domain (ccTLD) assigned to Columbia.

HEADSUP: Looking for infosec people at @Reddit. Website at (phishing?) domain reddit(.)co — using the Colombian TLD — was acting a pitch-perfect apparent MITM of the actual Reddit. Now returning 500 before I could screenshot it. Domain ownership is as-follows: pic.twitter.com/hpucMroumd

— Alec Muffett (@AlecMuffett) February 5, 2018

https://twitter.com/AlecMuffett/status/960305985339510784

A visitor to the fake Reddit sees a home page that looks a lot like the actual news aggregation website. The clone is even protected with an SSL certificate, which bolsters that sense of legitimacy. But don't be fooled; clicking on any of the non-image features reveals a 500 Internal Server Error status code.


Cybercriminals are phishing with TLS certificates found on the Dark Web. Find out more. 


With that said, anyone who submits their login credentials to the fake site can bet its domain owner will steal them and possibly try to reuse them across other platforms.

Gizmodo reports that someone first registered "reddit[dot]co" in July 2010 some five years after the real Reddit was born. Owners of the misleading domain have used the site for various purposes since then, including hosting Flash-based games and adult videos.

It appears someone in London is the most recent registrant of the site. But according to International Business Times, an IP address linked to the page would have researchers believe the domain owner is based in Ukraine. Wherever they're located, the fraudster obtained an SSL certificate from Comodo. (The actual Reddit website uses certificates issued by DigiCert.)

Kevin Bocek, VP of Security Strategy & Threat Intelligence at Venafi, told Help Net Security that Reddit isn't the only site bad actors have impersonated using a certificate:

“It's not just sites like Reddit.co – last year over 14,000 certificates were used to set up phishing sites spoofing PayPal alone. This shows the power of the padlock for cybercriminals, allowing them to appear trusted while tricking unsuspecting victims out of their data and damaging brand reputations across the internet…. This attack is part of a much larger problem that jeopardizes the system of trust used throughout the internet and shows why a new system of trust built on reputation is needed. The answer is certificate reputation scoring to help people know what can and can’t be trusted.”

Still waiting for @Google #SafeBrowsing to block the fake @Reddit ; I'm not sure how long it should take to update, so this is an interesting experiment. It was reported last night UK time. pic.twitter.com/T3YF1etvCG

— Alec Muffett (@AlecMuffett) February 5, 2018

https://twitter.com/AlecMuffett/status/960574005018284033

To make sure visitors can always trust their websites, organizations need to monitor their certificates for signs of abuse. They can do so by investing in a solution that helps them inventory and track every certificate in their encryption environment.
 

Learn more about machine identity protection. Explore now.
 

Related blogs

Like this blog? We think you will love this.
image of a person holding a cell phone with the word "malware" and a warning triangle on the screen
Featured Blog

The Enigma of Xhelper

Before we get into the details, here’s what I find puzzling: nobody seems ready

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

CIO Study: Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

Forrester Consulting Whitepaper: Securing the Enterprise with Machine Identity Protection
Industry Research

Forrester Consulting Whitepaper: Securing the Enterprise with Machine Identity Protection

Machine Identity Protection for Dummies
eBook

Machine Identity Protection for Dummies

About the author

David Bisson
David Bisson

David is a Contributing Editor at IBM Security Intelligence.David Bisson is a security journalist who works as Contributing Editor for IBM's Security Intelligence, Associate Editor for Tripwire and Contributing Writer for Gemalto, Venafi, Zix, Bora Design and others.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat