The party is ON! Join us at TNW Conference 2021 in Amsterdam for face-to-face business!

The heart of tech

This article was published on January 7, 2016

    Let’s Encrypt’s free HTTPS certificates are already being used to distribute malware

    Let’s Encrypt’s free HTTPS certificates are already being used to distribute malware
    Abhimanyu Ghoshal
    Story by

    Abhimanyu Ghoshal

    Managing Editor

    Abhimanyu is TNW's Managing Editor, and is all about personal devices, Asia's tech ecosystem, as well as the intersection of technology and Abhimanyu is TNW's Managing Editor, and is all about personal devices, Asia's tech ecosystem, as well as the intersection of technology and culture. Hit him up on Twitter, or write in: [email protected].

    It’s only been a month since certificate authority Let’s Encrypt opened up its beta program to offer free HTTPS certificates to the public, and hackers have already begun abusing the service to distribute malware through seemingly safe domains.

    In December, security firm Trend Micro spotted users in Japan accessing a malvertising server, which hosted the Angler Exploit Kit that downloaded a banking Trojan onto affected Windows machines automatically. The Trojan allowed hackers to remotely access those systems without users’ knowledge.

    The company says that the malvertisers used a technique called domain shadowing, in which attackers who have gained access to a trusted domain (such as a bank’s main website) can lead users to a server that they control and host elsewhere, while disguising their activity using a subdomain protected with a security certificate from Let’s Encrypt.

    In the case Trend Micro was investigating, the attackers hosted an ad which appeared to be related to the legitimate domain.

    The company says that this was possible because Let’s Encrypt only checks domains that it issues against the Google safe browsing API before issuing certificates. It doesn’t stop attackers from obtaining a certificate and creating subdomains with malware under the umbrella of a legitimate site.

    According to Trend Micro’s report, the incident highlights potential issues with Let’s Encrypt’s service and urges the organization to be willing to cancel certificates if they have been misused.

    We’ve contacted Let’s Encrypt to learn more and will update this post when we hear back.

    Let’s Encrypt Now Being Abused By Malvertisers [Trendlabs Security Intelligence Blog]