Despite many cyber-security advances over the last 20 years, well-known cyber-criminal exploits like phishing still pose pervasive threats. Phishing scams remain effective because they prey on human behavior. Until technology can better moderate human actions, some of the simplest cyber-criminal techniques--like phishing--will continue to be effective.
The misuse of technology can even contribute to the effectiveness of phishing attacks. In this article, I will be focusing on one such technology: wildcard certificates. I will give a few real-world examples of how cyber-criminals exploit the trust organizations have in such certificates, and I will provide some recommendations for protecting your resources from phishing scams.
Using a wildcard certificate on a publicly facing webserver increases the risk that cyber-criminals will use the webserver to host malicious websites in phishing campaigns.
To understand why, you must understand a bit about wildcard certificates. A wildcard certificate is a public key certificate used by all subdomains within a larger domain. Using wildcard certificates reduces the overall burden on system administrators. However, from a security standpoint, these certificates open up a can of worms.
Any subdomain created for the domain on a webserver that uses a wildcard certificate will use the same certificate. For example, a webserver with a wildcard certificate is hosting the domain https://example.com. Anyone with access to the webserver can set up a subdomain, https://phishing.example.com, on the webserver using the wildcard certificate. Visitors to the phishing site do not realize that they are on the phishing site because their browsers establish an HTTPS connection using the legitimate wildcard certificate.
You’re probably asking yourself, “Who would fall for something so simple? Surely anyone would recognize the illegitimate website.” Most phishing sites use long URLs to take advantage of the fact that a user is not likely to scroll through the entire URL. The browser also truncates the long URL, only showing, for example, the green highlighted part and not the malicious site: https://paypal.com.ylv=4$qid?532093256142-2-0351439098.webscr?cmd.phishing.example.com/83529hrs5.
Setting up a subdomain is exactly how cyber-criminals exploited a wildcard certificate on the Malaysian Police portal and used the portal for a phishing attack, as described in the following chalk talk.
Stolen Private Key
In the last five years malware designed to steal keys and certificates has proliferated, and a thriving marketplace for stolen certificates has sprung up. The recently discovered Mask malware presents yet another example of how cybercriminals compile malicious code to steal keys and certificates. Like compromising a webserver, gaining access to a wildcard certificate’s private key provides an attacker with the ability to impersonate any domain for the wildcard certificate (*.example.com).
When cyber-criminals compromised DigiNotar, a certificate authority (CA), the attackers were able to steal a Google wildcard certificate (*.google.com). Using the stolen certificate, an attacker would be able to set up a fake website for any Google service and then direct victims to the fake service by poisoning DNS services. Because the attacker is using a stolen wildcard certificate, the victim receives no warning when visiting the fake Google website.
A simpler option than compromising a CA is to trick a CA into issuing a wildcard certificate for a fictitious company. Once a hacker has the fictitious company’s wildcard certificate, the hacker can create subdomains and establish phishing sites that masquerade as belonging to any organization.
By using this technique, cybercriminals successfully hacked the Washington Post. First, attackers set up a fake Outlook Web Access (OWA) site. They then used a spear-phishing email campaign to fool journalists into visiting the OWA site. When journalists attempted to access the OWA site, their credentials were captured and later used to compromise the network.
Security controls and solutions can dramatically increase the cost of an attack. By putting these defenses in place, you increase the effort that a malicious actor must take to compromise your network. Your goal is to make compromising your network so expensive that cyber-criminals would rather focus their attention on someone else. As the saying goes: When a lion chases you, you don’t need to be the fastest runner; you just have to be faster than the person behind you.
You can make your organization more costly to exploit by avoiding wildcard certificates. Although wildcard certificates make business operations simpler, they provide tremendous opportunity to any cyber-criminal who compromises your webserver or steals a wildcard certificate’s private key.
Don’t let cyber-criminals use your wildcard certificates in malicious campaigns. Avoid using wildcard certificates on production systems, especially public-facing ones. Instead, you should use subdomain-specific certificates that are rotated often. A compromised wildcard certificate can lead to serious repercussions, but, by using short-lived, non-wildcard certificates, you significantly mitigate the impact of an attack.