430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Fraudulent purchases of digitals certificates through executive impersonation

Experts at ReversingLabs spotted a threat actor buying digital certificates by impersonating legitimate entities and then selling them on the black market. Researchers at ReversingLabs have identified a new threat actor that is buying digital certificates by impersonating company executives, and then selling them on the black market. The experts discovered that digital certificates are then […]

digital certificates

Experts at ReversingLabs spotted a threat actor buying digital certificates by impersonating legitimate entities and then selling them on the black market.

Researchers at ReversingLabs have identified a new threat actor that is buying digital certificates by impersonating company executives, and then selling them on the black market. The experts discovered that digital certificates are then used to spread malware, mainly adware.

Threat actors sign their malware with legitimate digital certificates to avoid detection.

The experts provided details of a certificate fraud that leverages on the executive impersonation. The researchers provided evidence that the threat actors sold the purchased certificates to a cybercrime gang that used them to spread malware.

The analysis published by Reversinglabs provides technical details for each phase of the certificate fraud carried out by impersonating executive.

The fraud begins with the reconnaissance phase in which the attackers select the target to impersonate. Threat actors use publicly available information to select candidates that are usually well-established people working in the software industry.

Once identified, the threat actors scrape victim’s information from open sources, such as their public LinkedIn profile page. Then attackers set up legitimate-looking infrastructure for the entity they are impersonating in the attempt to deceive certificate authorities.

“The attacker aims to use the top-level domain confusion in order to mislead the certificate authority during their identity verification process. The gamble is that the person verifying the certificate issuance request will assume that the same company owns both the global .COM and the regional .CO.UK domains for their business.” reads the analysis published by the experts.

“Here’s where the choice of registrar becomes truly important. Since GDPR legislation came into effect, most EU domain registrars have agreed that WHOIS records are considered private and personally identifiable information. This makes knowing the true identity behind the registered domain name subject to a data release process – a bureaucratic procedure meant to be fulfilled in cases of a legitimate enquiry such as a trademark dispute or a law enforcement request.”

Once set up the infrastructure, the threat actors then proceed to purchase the certificates and verify them. The verification is done using a public antivirus scanning service, then the threat actors use the file scan record as “a clean bill of health” for potential buyers.

2019-04-30 07:07:59 – The first signed malicious file appears in the wild. The certificate is used to sign OpenSUpdater, an adware application that can install unwanted software on the client’s machine. This executable is cross-signed for timestamp verification via Symantec Time Stamping Services Signer service.” continues the analysis.

The experts pointed out that even if it is harder for the attacker to acquire digital certificates, the threat actors they tracked has shown that it is in fact possible to do so.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – digital certificates, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]