Criminals buy security certificates pretending to be company directors

ReversingLabs researchers have discovered a new tactic that criminals use for fraudulent operations. Now, attackers pretend to be legal managers of the enterprise to buy security certificates on the Internet and then sell them on underground forums.

“This is particularly true for financially motivated actors. When spreading malware is a business model, ensuring the malware flies under the radar is a top priority”, — says one of the ReversingLabs cofounders Tomislav Pericin.

Digital certificates allow their owners to digitally sign information in a process that stamps the content with their identity and protects it from tampering. While both of those signature properties are important, the identity behind the origin of information is the one that is used as the key measurement of trustworthiness. That is why threat actors are so focused on impersonating trusted parties.

Under this scheme, the offender is first looking for a suitable victim. In one case, the offender deleted information from the page of the head of the British company on the LinkedIn social network, and then registered the domain name associated with this company.

Read also: IS Research: Small Business Does Not Update Critical Software

Then the offender ordered a Code Signing certificate, for which he already had all the necessary data. To verify the identity, legal information about the company is checked in government or trusted third-party databases, the domain of the website is checked by e-mail, and then an automatic callback process takes place.

Now the attacker has successfully impersonated the director of the company and he has a Code Signing certificate that can be sold. This certificate, obtained illegally in the described case, is now used in the OpenSUpdater adware to sign 22 executable files, many of which are malicious.

“Deceiving a certification center is another tactic used by this criminal. Using the same identity, the subject is trying to buy as many certificates as possible from as many certification authorities as possible,” – explains Tomislav Pericin.

Researchers believe the culprit used the same tactics against at least a dozen companies. Extended identity verification fraud certificates (EV certificates) were associated with one person. Presumably, the size of the profit justifies monitoring and setting up the infrastructure necessary to undergo numerous identity checks.