beebright - stock.adobe.com

Machine identities for sale on dark web, business warned

Academics and security professionals are warning businesses that certificates used to establish trust and privacy on the internet are being weaponised and sold to cyber criminals bundled with other services

An academic study has exposed a flourishing market on the dark web for secure sockets layer/transport layer security (SSL/TLS) certificates used to verify machine identities for machine-to-machine communications.

The six-month study, sponsored by machine identity protection firm Venafi was undertaken by researchers at the Evidence-based Cybersecurity Research Group at the Andrew Young School of Policy Studies at Georgia State University and the University of Surrey.

The study examining the availability of SSL/TLS certificates on the dark web, and their role in the cyber crime economy uncovered thriving marketplaces for these certificates sold individually and packaged with a wide range of crimeware.

Together these services deliver machine-identities-as-a-service to cyber criminals to spoof websites, eavesdrop on encrypted traffic, perform man-in-the-middle attacks and steal sensitive data because machine identities form the foundations of all online trust and communications between digital actors, from apps to mobile devices.

“One very interesting aspect of this research was seeing TLS certificates packaged with wrap-around services – such as web design services – in order to give attackers immediate access to high levels of online credibility and trust,” said security researcher and report author David Maimon, associate professor and director of the Evidence-based Cybersecurity Research Group.

“It was surprising to discover how easy and inexpensive it is to acquire extended validation certificates, along with all the documentation needed to create very credible shell companies without any verification information.”

The researchers found that five of the Tor network markets observed, offer a steady supply of SSL/TLS certificates, along with a range of related services and products.

Read more about machine identities

Prices for certificates vary from $260 to $1,600, depending on the type of certificate offered and the scope of additional services.

Researchers also found extended validation certificates packaged with services to support malicious websites such as Google-indexed “aged” domains, after-sale support, web design services, and integration with a range of payment processors – including Stripe, PayPal and Square.

At least one seller promises to issue certificates from reputable certificate authorities along with forged company documentation – including unique business identifiers known as DUNS numbers.

This package of products and services allows attackers to credibly present themselves as a trusted US or UK company for less than $2,000.

One representative search of these five marketplaces uncovered 2,943 mentions for “SSL” and 75 for “TLS.” In comparison, there were just 531 mentions for “ransomware” and 161 for “zero days”.

TLS certificates

The study shows that some marketplaces – such as Dream Market – appear to specialise in the sale of TLS certificates, effectively providing machine-identity-as-a-service products. In addition, researchers found that certificates are often packaged with other crimeware, including ransomware. 

“This study found clear evidence of the rampant sale of TLS certificates on the dark net,” said Kevin Bocek, vice-president of security and threat intelligence for Venafi. “TLS certificates that act as trusted machine identities are clearly a key part of cyber criminal toolkits – just like bots, ransomware and spyware.

“There is a lot more research to do in this area, but every organisation should be concerned that the certificates used to establish and maintain trust and privacy on the internet are being weaponised and sold as commodities to cyber criminals.”

Venafi specialises in machine identity protection, securing machine-to-machine connections and communications.

“The reason machine identities are so important is that everything a global bank does, for example, from retail banking payment processing to trading is all dependent on machine identities, and so by extension, the whole economy is dependent on this,” Bocek told Computer Weekly.

“Humans use usernames, passwords and biometrics to tell a machine who we are. That is our identity to a machine, but machines use different identities to talk to each other, such as SSL/TLS certificates.”

Managing machine identities is looming as the next big security challenge, according to a study published in August 2018. A survey revealed that few organisations are capable of protecting machine identities, despite the fact that they increasingly form the basis of online communications.

Read more on Hackers and cybercrime prevention