It's been only a month since the Let's Encrypt certificate authority has launched a beta program for distributing free HTTPS certificates to the public, and hackers have begun to abuse the malware distribution service through seemingly secure websites.
In December, the company ασφαλείας Trend Micro εντόπισε ορισμένους χρήστες στην Ιαπωνία που είχαν μολυνθεί από ένα κακόβουλο διακομιστή, ο οποίος φιλοξένησε το Angler Exploit Kit. Τα trojans επέτρεπαν στους hackers να αποκτήσουν απομακρυσμένη πρόσβαση στα μολυσμένα συστήματα χωρίς να το γνωρίζουν οι ιδιοκτήτες τους.
The company reports that the malvertisers used a technique called domain shadowing, with which they can gain access to a trusted domain (such as the main website of a bank). So they can direct users to a server of their own, which disguises their password-snapping activity.
And to make the deception attempt more believable, they use a subdomain that is protected with the free Let's Encrypt (HTTPS) security certificate.
In the case of the Trend Micro survey, the attackers hosted a malicious ad that seemed to be related to a legitimate domain.
The company says this was possible because Let's Encrypt checks domains against the Google safe browsing API before issuing new certificates. This of course does not stop attackers from obtaining a new certificate and creating it subdomains με κακόβουλο λογισμικό υπό την protection of a legitimate domain.
According to the Trend Micro report, the incident highlights the potential issues of the Let's Encrypt service and calls on the company to be ready to revoke certificates that have been misused.