Skip to main content
banner image
venafi logo

SSL/TLS Certificate Toolkits: A Hot Commodity on the Dark Web

SSL/TLS Certificate Toolkits: A Hot Commodity on the Dark Web

Dark Web, SSL/TLS, certificates
March 6, 2019 | Eva Hanscom

TLS/SSL certificates have proven to be valuable commodities to organizations that use them to establish trust for connections and communications with customers, partners and employees. Unfortunately, this same trust is extremely valuable to cybercriminals for much the same reasons. When they fall into the wrong hands, TLS/SSL certificates can bring hidden risks to organizations, we often see them exploited in vulnerabilities and sophisticated attack campaigns. But, just how lucrative are these machine identities to cybercriminals? What are bad actors willing to do, and spend, to get their hands on TLS/SSL certificates?

Venafi recently sponsored an academic study of the availability of SSL/TLS certificates on the dark web, and their role in the cybercrime economy. The research, undertaken by researchers at the Evidence-based Cybersecurity Research Group at the Andrew Young School of Policy Studies at Georgia State University and the University of Surrey, uncovered thriving marketplaces for TLS certificates sold individually and packaged with a wide range of crimeware. Together these services deliver machine-identities-as-a-service to cybercriminals who wish to spoof websites, eavesdrop on encrypted traffic, perform man-in-the-middle attacks and steal sensitive data.

“One very interesting aspect of this research was seeing TLS certificates packaged with wrap-around services – such as web design services – in order to give attackers immediate access to high levels of online credibility and trust,” said security researcher and report author David Maimon, associate professor and director of the Evidence-based Cybersecurity Research Group. “It was surprising to discover how easy and inexpensive it is to acquire extended validation certificates, along with all the documentation needed to create very credible shell companies without any verification information.”

Key discoveries from the first set of findings include:

  • Five of the Tor network markets observed, offer a steady supply of SSL/TLS certificates, along with a range of related services and products.
  • Prices for certificates vary from $260 to $1,600, depending on the type of certificate offered and the scope of additional services.
  • Researchers found extended validation certificates packaged with services to support malicious websites such as Google-indexed “aged” domains, after-sale support, web design services, and integration with a range of payment processors – including Stripe, PayPal and Square.
  • At least one vendor on BlockBooth promises to issue certificates from reputable Certificate Authorities along with forged company documentation – including DUNS numbers. This package of products and services allows attackers to credibly present themselves as a trusted U.S. or U.K. company for less than $2,000.

One representative search of these five marketplaces uncovered 2,943 mentions for “SSL” and 75 for “TLS.” In comparison, there were just 531 mentions for “ransomware” and 161 for “zero days.” It was also evident that some marketplaces – such as Dream Market – appear to specialize in the sale of TLS certificates, effectively providing machine-identity-as-a-service products. In addition, researchers found that certificates are often packaged with other crimeware, including ransomware.

“This study found clear evidence of the rampant sale of TLS certificates on the dark net,” said Kevin Bocek, vice president of security and threat intelligence for Venafi. “TLS certificates that act as trusted machine identities are clearly a key part of cybercriminal toolkits – just like bots, ransomware and spyware. There is a lot more research to do in this area, but every organization should be concerned that the certificates used to establish and maintain trust and privacy on the internet are being weaponized and sold as commodities to cybercriminals.”

Want to learn more? Please visit: SSL/TLS Certificates and Their Prevalence on the Dark Web

.

Related posts

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

man sitting on chair and thinking

Venafi Study: Are Financial Service Organizations More Likely to Suffer Certificate-Related Outages?

accessec, APIIDA, Crypto4A, Difenda

Six Groundbreaking Machine Identity Protection Developers Gain Funding

code signing certificates, Code Signing, Stuxnet, ShadowHammer

Study: How Well Are You Protecting Code Signing Certificates?

About the author

Eva Hanscom
Eva Hanscom

Eva Hanscom writes for Venafi's blog and is an expert in machine identity protection.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat