• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 55

 | 

Security Affairs newsletter Round 534 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Law enforcement operations seized BlackSuit ransomware gang’s darknet sites

 | 

Arizona woman sentenced for aiding North Korea in U.S. IT job fraud scheme

 | 

Operation CargoTalon targets Russia’s aerospace with EAGLET malware,

 | 

Unpatched flaw in EoL LG LNV5110R cameras lets hackers gain Admin access

 | 

Koske, a new AI-Generated Linux malware appears in the threat landscape

 | 

Mitel patches critical MiVoice MX-ONE Auth bypass flaw

 | 

Coyote malware is first-ever malware abusing Windows UI Automation

 | 

SonicWall fixed critical flaw in SMA 100 devices exploited in Overstep malware attacks

 | 

DSPM & AI Are Booming: $17.87B and $4.8T Markets by 2033

 | 

Stealth backdoor found in WordPress mu-Plugins folder

 | 

U.S. CISA adds CrushFTP, Google Chromium, and SysAid flaws to its Known Exploited Vulnerabilities catalog

 | 

U.S. CISA urges FCEB agencies to fix two Microsoft SharePoint flaws immediately and added them to its Known Exploited Vulnerabilities catalog

 | 

Sophos fixed two critical Sophos Firewall vulnerabilities

 | 

French Authorities confirm XSS.is admin arrested in Ukraine

 | 

Microsoft linked attacks on SharePoint flaws to China-nexus actors

 | 

Cisco confirms active exploitation of ISE and ISE-PIC flaws

 | 

SharePoint under fire: new ToolShell attacks target enterprises

 | 

CrushFTP zero-day actively exploited at least since July 18

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Hacking
  • Security
  • Who and how is using forged SSL certificates worldwide?

Who and how is using forged SSL certificates worldwide?

Pierluigi Paganini May 13, 2014

Who is abusing of forged SSL certificates in MITM attacks worldwide? A team of researchers implemented a new detection technique to detect the abuses.

A team of researchers at Carnegie Mellon University and engineers at Facebook have designed a detection technique for man-in-the-middle attacks over SSL on a large-scale. They analyzed the data extracting useful information, including the data related to digital certificates presented, about the methods used the attacks.

The researchers analyzed nearly 3.5 million SSL connections made to Facebook during a four-month period started in December 2013. They discovered that 6,845, corresponding to 0.2 percent of all connections used fake SSL certificates with the intent to syphon data. This data is just related to Facebook, this means that something quite similar is happening for connections to other popular websites.

It is a common practice of cyber criminal ecosystem to use fake SSL certificates for bogus websites impersonating legitimate web services like e-commerce, payment platform and social networks. The attackers usually use self-signed digital certificates or stolen certificate that is accepted as valid by most browsers.

As explained in the paper the group of expert used a Flash Player plug-in to capture forged SSL certificates:
” We utilized the widely-supported Flash Player plugin to enable socket functionalities not natively present in current browsers, and implemented a partial SSL handshake on our own to capture forged certificates. We deployed this detection mechanism on an Alexa top 10 website, Facebook, which terminates connections through a diverse set of network operators across the world. We analyzed 3;447;719 real-world SSL connections and successfully discovered at least 6;845
(0:2%) of them were forged SSL certificates” report the paper related to the research.
Principal browsers display a warning message when encountering errors during SSL certificate validation, but users anyway can decide to proceed. This is the typical scenario for fake SSL connections which triggers a certificate warning, mostly caused by server mis-configurations, but the alert is often ignored by users that trust forged SSL certificates.
In this scenario, an attacker can impersonate any legitimate website performing an SSL man-in-the-middle attack in order to eavesdrop encrypted communication.

fake digital SSL certificates detection MITM
In the following image the website loads a client-side applet, that performs the SSL handshake over a Flash-based socket connection to observe SSL certificates. On the other end attackers may restrict Flash-based sockets by blocking the socket policy request (for example, whitelisting TCP ports 80 and 443 to only allow web traffic), thus not allowing the Flash Player to retrieve a valid socket policy file from socket policy servers (over port 843) used by researchers.
fake digital SSL certificates detection
Attackers use to forge SSL certificates with name of legitimate issuer organizations, such as VeriSign, Comodo.
As described in the study, many organizations issue forge certificates for their operations like Antivirus (e.g. Bitdefender, ESET, BullGuard, Kaspersky Lab), Firewall and Parental Control Software.
“However, if any antivirus software enabled SSL interception by default, we would expect a higher number of their forged certificates observed. Note that the observed antivirus-related certificate
counts are not representative of the general antivirus usage share of the website’s users, since SSL interception is often an optional feature in these products. However, if any antivirus software enabled SSL interception by default, we would expect a higher number of their forged certificates observed. 
Supposing that these users intentionally installed the antivirus software on their hosts, and deliberately turned on SSL scanning, then these antivirus-generated SSL certificates would be less alarming. However, one should be wary of professional attackers that might be capable of stealing the private key of the signing certificate from antivirus vendors, which may essentially allow them to spy on the antivirus’ users (since the antivirus’ root certificate would be trusted by the client). Hypothetically, governments could also compel antivirus vendors to hand over their
signing keys.”
The researchers also noticed self-signed digital certificates generated by malicious code, it is the case of a digital certificate named as ‘IopFailZeroAccessCreate’, which was generated by some malware and using as name of Certificate issuer VeriSign Class 4 Public Primary CA.
“This was obviously a malicious attempt to create a certificate with an issuer name of a trusted CA. These variants provide clear evidence that attackers in the wild are generating certificates with forged issuer attributes, and even increased their sophistication during the time frame of our study.” said the researchers.
Malware forges ‘IopFailZeroAccessCreate’ digital certificates were discovered 112 man-in-the-middle attacks in more than 45 different countries, mainly United States, Mexico and Argentina.
fake digital SSL certificates detection malware

 

“This shows that the particular SSL man-in-the-middle attack is occurring globally in the wild. While it is possible that all of these attacks were amateur attackers individually mounting attacks (e.g. at their local coffee shop), it is certainly odd that they happened to use forged certificates with the same subject public key,” the researchers wrote. “However, this is not so unreasonable if these attacks were mounted by malware.”

The paper suggests different mitigations methods that browser vendors could implement to mitigate the cyber threat, including the adoption of HTTP Strict Transport Security, Public Key Pinning, TLS Origin Bound Certificates, and the validation of certificates with notaries.

“Our data suggest that browsers could possibly detect many of the forged certificates based on size characteristics, such as checking whether the certificate chain depth is larger than one,” the report said. “We strongly encourage popular websites, as well as mobile applications, to deploy similar mechanisms to start detecting SSL interception.”

Pierluigi Paganini

(Security Affairs –  SSL certificates, Man-In-The-Middle)


facebook linkedin twitter

Carnegie Mellon University Facebook Hacking man-in-the-middle MITM mlaware Pierluigi Paganini PKI Security Affairs SSL SSL Certificates

you might also like

Pierluigi Paganini July 26, 2025
Arizona woman sentenced for aiding North Korea in U.S. IT job fraud scheme
Read more
Pierluigi Paganini July 25, 2025
Unpatched flaw in EoL LG LNV5110R cameras lets hackers gain Admin access
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 55

    Malware / July 27, 2025

    Security Affairs newsletter Round 534 by Pierluigi Paganini – INTERNATIONAL EDITION

    Breaking News / July 27, 2025

    Law enforcement operations seized BlackSuit ransomware gang’s darknet sites

    Cyber Crime / July 26, 2025

    Arizona woman sentenced for aiding North Korea in U.S. IT job fraud scheme

    Intelligence / July 26, 2025

    Operation CargoTalon targets Russia’s aerospace with EAGLET malware,

    Intelligence / July 25, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT