It's been only a month since the Let's Encrypt certificate authority has launched a beta program for distributing free HTTPS certificates to the public, and hackers have begun to abuse the malware distribution service through seemingly secure websites.
In December, security firm Trend Micro spotted some users in Japan infected with a malicious server that hosted the Angler Exploit Kit. Trojans allowed hackers to gain remote access to infected systems without their owners knowing it.
The company reports that the malvertisers used a technique called domain shadowing, με την οποία μπορούν να αποκτήσουν πρόσβαση σε ένα αξιόπιστο domain (όπως για παράδειγμα την κύρια ιστοσελίδα of a bank). So they can direct users to a server of their own, which disguises sub activitytheftof passwords.
And to make the deception attempt more believable, they use a subdomain that is protected with the free Let's Encrypt (HTTPS) security certificate.
In the case of the investigation by Trend Micro, the attackers hosted a malicious advertising which appeared to be associated with a legitimate domain.
The company says this was possible because Let's Encrypt checks domains from the Google safe browsing API. This of course does not stop attackers from obtaining a new certificate and creating subdomains with malware under the protection of a legitimate domain.
According to the Trend Micro report, the incident highlights the potential issues of the Let's Encrypt service and calls on the company to be ready to revoke certificates that have been misused.