Let’s Encrypt issues certs to ‘PayPal’ phishing sites: how to protect yourself

Post a Fraud Alert:

The modus operandi for phishing attacks is straightforward: thieves spam out legitimate-looking messages with malicious links that, when clicked, dupe the victim into giving up passwords, credit card numbers and the like.

When they set up their sites, crooks need SSL certificates, and for the most part there’s no stopping them from getting one. Just as people fall for fake sites that look like something from their bank or HR department, the certificate provider can fail to tell the difference between the legitimate and fraudulent cert seeker.

Such is the case with Let’s Encrypt, a free, automated certificate authority that has issued 15,270 “PayPal” certificates to sites used for phishing.

PayPal a big target

SSL Store encryption expert Vincent Lynch has been watching it happen and asked Let’s Encrypt to stop issuing certificates containing the term “PayPal”. But in a blog post, he said the problem persists:

PayPal is a high-value target and Let’s Encrypt had already issued nearly 1,000 certificates containing the term PayPal, more than 99% of which were intended for phishing sites. With expanded research, we found our previous claim was a major underestimate. Let’s Encrypt has actually issued 15,270 PayPal certificates. This reveals the previously unknown extent of the Let’s Encrypt phishing phenomenon.

Assuming that current trends continue, he said Let’s Encrypt will issue 20,000 additional “PayPal” certificates by year’s end. Since its inception, Let’s Encrypt has taken a hands-off approach when it comes to issuing and revoking certificates because doing so runs counter to its goal of encrypting every website it can.

Lynch acknowledged that, and said his reason for writing the warning was to show how popular the use of SSL is on phishing sites:

If Let’s Encrypt will issue upwards of 35,000 “PayPal” certificates by the end of 2017, there are likely tens of thousands more targeting other popular sites and services. The security community, and internet users at large, should be aware of the extent of this activity.

Whose responsibility is it, anyway?

The big question in this situation is who bears responsibility for thwarting phishers. Let’s Encrypt’s policy is clear. From the website:

Deciding what to do here has been tough. On the one hand, we don’t like these sites any more than anyone else does, and our mission is to help build a safer and more secure Web. On the other hand, we’re not sure that certificate issuance (at least for Domain Validation) is the right level on which to be policing phishing and malware sites in 2015. This post explains our thinking in order to encourage a conversation about the CA ecosystem’s role in fighting these malicious sites.

In the final analysis, the organization says, certificate authorities are not well positioned to run anti­-phishing and anti-malware operations:

They simply do not have sufficient ongoing visibility into sites’ content. The best CAs can do is check with organizations that have much greater content awareness, such as Microsoft and Google. Google and Microsoft consume vast quantities of data about the Web from massive crawling and reporting infrastructures.

In an email exchange, Let’s Encrypt executive director Josh Aas said a blanket block on the word “paypal” would prevent legitimate use while doing little or nothing to stop phishing and malware sites.

Naked Security has written about phishing at length, and the conclusion is usually that the fight rests with individual companies, employees and consumers.

To that end…

What companies should be doing

Since phishing is one of the easier ways for an attacker to steal a company’s sensitive information, the defense must start there.

To help raise awareness, security vendors have offered a number of products and services companies can use to launch simulations – essentially phishing fire drills — which can show employees up close how easy it is to be duped by social engineering. For Sophos customers, that product is Phish Threat.

Security awareness programs are not new, and some security experts have questioned their effectiveness, since users continue to make the same mistakes. Sophos’ response has been that simulations give awareness programs more teeth. The more employees get caught on the phishing hook during a simulation, the less likely they are to forget the lesson.

Though such simulations are an effective way to raise awareness, companies need to follow that up with concrete instructions to help employees stay above the fray.

What consumers should be doing

For consumers, we’ve repeatedly suggested the following:

  • Be careful what you click. This one is painfully obvious, but users need a constant reminder.
  • Check the address bar for the correct URL. The address bar in your web browser uses a URL to find the website you are looking for. The web address usually starts with either HTTP or HTTPS, followed by the domain name. The real websites of banks and many others use a secure connection that encrypts web traffic, called SSL or HTTPS. If you are expecting a secure HTTPS website for your bank, for example, make sure you see a URL beginning with https://before entering your private information.
  • Look for the padlock for secure HTTPS websites. A secure HTTPS website has a padlock icon to the left of the web address.
  • Consider using two-factor authentication for more security. When you try to log into a website with two-factor authentication (2FA), there’s an extra layer of security to make sure it’s you signing into your account.

Aas added this suggestion as well:

Use Google Safe Browsing, Microsoft SmartScreen, or some other safe browsing program. Those programs have vast resources devoted to consuming and evaluating content, and they can issue warnings and blocks very effectively.