Fake SSL Certificates Imitate Banks

Tuesday, February 18, 2014 @ 02:02 PM gHale

A series of fake SSL certificates are floating around after bad guys created them to impersonate banks, social networks, payment and ecommerce providers.

The certificates allow users to believe they are on the right website when they are not, allowing attackers to perform Man-in-the-Middle attacks and then get all the information sent and received by the users and the sites, with both the users and the companies being none the wiser, said experts at UK-based research firm Netcraft.

Apps Lack of Security
Mobile Alert: Bug in Smartphone
Pulling RSA Keys by Listening
Air Gaps Not Even Secure

“The fake certificates bear common names which match the hostnames of their targets,” said researcher Paul Mutton. “As the certificates are not signed by trusted certificate authorities, none will be regarded as valid by mainstream web browser software; however, an increasing amount of online banking traffic now originates from apps and other non-browser software which may fail to adequately check the validity of SSL certificates.”

Fake certificates alone are not enough to allow an attacker to carry out a man-in-the-middle attack, he said. The attacker would also need to be in a position to eavesdrop the network traffic flowing between the victim’s mobile device and the servers it communicates with. In practice, this means an attacker would need to share a network and Internet connection with the victim, or would need to have access to some system on the Internet between the victim and the server. Setting up a rogue wireless access point is one of the easiest ways for an individual to carry out such attacks, as the attacker can easily monitor all network traffic as well as influence the results of DNS lookups.

Online banking apps for mobile devices are notoriously bad at SSL certificate validation, and as Mutton points out, “both apps and browsers may also be vulnerable if a user can be tricked into installing rogue root certificates through social engineering or malware attacks.”

Among the fake SSL certificates they have discovered was one used to “legitimize” a Facebook phishing page served from a server in Ukraine; one “wildcard” certificate served from a machine in Romania and possibly used to impersonate a variety of Google services; one to impersonate a large Russian bank and one to mimic a Russian payment services provider; one to imitate Apple iTunes.

Leave a Reply

You must be logged in to post a comment.