Criminals buy security certificates pretending to be company directors

ReversingLabs researchers have discovered a new tactic that criminals use for fraudulent operations. Now, attackers pretend to be legal managers of the enterprise to buy security certificates on the Internet and then sell them on underground forums.

Certificates are valuable resources to threat actors, as their mere presence can reduce the chance of early malware detection.

“This is particularly true for financially motivated actors. When spreading malware is a business model, ensuring the malware flies under the radar is a top priority”, — says one of the ReversingLabs cofounders Tomislav Pericin.

Digital certificates allow their owners to digitally sign information in a process that stamps the content with their identity and protects it from tampering. While both of those signature properties are important, the identity behind the origin of information is the one that is used as the key measurement of trustworthiness. That is why threat actors are so focused on impersonating trusted parties.

Tomislav Pericin
Tomislav Pericin

Under this scheme, the offender is first looking for a suitable victim. In one case, the offender deleted information from the page of the head of the British company on the LinkedIn social network, and then registered the domain name associated with this company.

Read also: IS Research: Small Business Does Not Update Critical Software

Then the offender ordered a Code Signing certificate, for which he already had all the necessary data. To verify the identity, legal information about the company is checked in government or trusted third-party databases, the domain of the website is checked by e-mail, and then an automatic callback process takes place.

Now the attacker has successfully impersonated the director of the company and he has a Code Signing certificate that can be sold. This certificate, obtained illegally in the described case, is now used in the OpenSUpdater adware to sign 22 executable files, many of which are malicious.

“Deceiving a certification center is another tactic used by this criminal. Using the same identity, the subject is trying to buy as many certificates as possible from as many certification authorities as possible,” – explains Tomislav Pericin.

Researchers believe the culprit used the same tactics against at least a dozen companies. Extended identity verification fraud certificates (EV certificates) were associated with one person. Presumably, the size of the profit justifies monitoring and setting up the infrastructure necessary to undergo numerous identity checks.

Security certificates are designed to inspire user confidence in software deployment. Traditional antivirus software typically uses signature databases to determine if the software downloaded or running on the computer contains malware. However, if a malicious software product is legally signed, it will be able to circumvent the scan.
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button