Research confirms rampant sale of SSL/TLS certificates on darkweb

A study conducted by academics discovered that SSL and TLS certificates and associated services can be easily acquired from dark web marketplaces.

A study sponsored by Venafi and conducted by researchers from Georgia State University in the U.S. and the University of Surrey in the U.K. discovered that SSL and TLS certificates and associated services can be easily acquired from dark web marketplaces.

Experts analyzed 60 marketplaces hosted by the Tor network and 17 websites on the I2P network collecting data on SSL and TLS certificates and related services.

SSL/TLS certificates are a precious commodity in cybercrime ecosystem, they are ordinarily used by threat actors for several malicious activities, including for spoofing websites, eavesdropping on traffic, stealing data, and setting up fraudulent e-commerce sites.

The study revealed that the listing of five of the marketplaces on the Tor network (Dream Market, Wall Street Market, BlockBooth, Nightmare Market and Galaxy3) includes thousands of offers for certificates and related services. Querying for SSL returned up nearly 3,000 results, while a query for “ransomware” returned 531 results and a query for “zero-day” only 161 mentions.

Researchers pointed out that some marketplaces are specialized in the sale of this category of products,

The offers are different from each other, some sellers offer “aged domains,” post-sale support for their customers and the integration with legitimate payment processors such as PayPal, Stripe, and Square.

Prices for the certificates between $260 and $1,600 with some exceptions, like the case of a seller who offers certificates from reputable certificate authorities in a bundle with fake documentation for $2,000.

“Some underground marketplaces focus on packaging services with SSL/TLS certificates. For example, some sellers offer “aged” domains, after-sale support and integration with a range of legitimate payment processors—including Stripe, PayPal and Square.” reads the report published by Venafi.

“At least one vendor on BlockBooth promises to issue certificates from reputable certificate authorities. The seller also offers forged documentation, which allows attackers to present themselves as trusted U.S. or U.K. companies for less than $2,000.

The study confirms the rampant sale of TLS certificates on the darkweb, crooks use them in the attempt to avoid detection and to arrange more sophisticated scams.

“This project provides evidence of the existence of an online underground market for TLS certificates, specifically the presence of vendors on online underground markets that are promising to issue EV certificates for U.S. and U.K. companies for less than $2,000.” concludes the report.

Venafi plans to continue the research and keep investigating this issue.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – dark web, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.