Fraudulent shopping domain certificate issuance outstrips legitimate businesses

The use of trusted SSL/TLS certificates can fool shoppers into believing they are spending their money on legitimate domains.
Written by Charlie Osborne, Contributing Writer

As the holiday season approaches, so does the opportunity for cybercriminals to scam shoppers out of their hard-earned funds.

According to Experian data, online shopping fraud attacks rose 30 percent in 2017 from 2016.

Shoppers can be scammed in a number of ways. Phishing emails may be sent which tout supposed last-minute deals on desirable items; retailers may fail to implement secure encryption on their domains which can lead to Man-in-The-Middle (MiTM) attacks, or purchases may be made on fraudulent websites.

On Thursday, machine ID protection firm Venafi said the latter is a problem which is increasing in scope, with an "explosion" of look-alike, fraudulent domains appearing online.

After analyzing suspicious domains created to mimic the top 20 retailers in the US, UK, France, Germany, and Australia, the company found that not only is the number of fake domains rising, but many of them use a trusted TLS certificate.

One of the top US retailers, for example, has over 12,000 fake domains targeting its customer base.

CNET: Trump OKs 'offensive cyber operations' as deterrent against US rivals

Combine this with a domain address that only substitutes a few characters and may pass when visitors' eyes gloss over it and you have a problem.

According to Venafi, it is becoming "increasingly difficult" for consumers to separate fraudulent domains from legitimate ones. When a trusted TLS certificate is thrown into the mix, fraudulent websites can appear safe as places to shop online.

See also: Infinite Campus DDoS attack impedes access to student data

"Domain spoofing has always been a cornerstone technique of web attacks that focus on social engineering, and the movement to encrypt all web traffic does not shield legitimate retailers against this very common technique," said Jing Xie, Venafi senior threat intelligence analyst. "Because malicious domains now must have a legitimate TLS certificate in order to function, many companies feel that certificate issuers should own the responsibility of vetting the security of these certificates."

TechRepublic: PCI compliance slipping for first time in 6 years, but IT remains on top

The company's research into the subject revealed that many fraudulent domains rely on certificates which are free, such as those on offer by Let's Encrypt. Sadly, this service is being abused to instill trust in potential victims -- and there is no way for CAs to know the intentions of webmasters registering for free security certificates.

The recent exploits of threat group Magecart are a prime example of how shopping fraud can impact both consumers and retailers. One of the hacking outfit's latest victims, US retailer Newegg, owns the domain newegg.com. Magecart registered a domain called neweggstats.com together with a legitimate certificate issued by Comodo.

The legitimate domain was compromised with a card skimmer and the fake domain was pointed to a server that received credit card information stolen from Newegg customers.

In total, 84 percent of the fraudulent domains examined in the Venafi report use free certificates from Let's Encrypt to function.

Venafi says that the total number of certificates issued for domains masquerading as legitimate, well-known retailers is over 200 percent greater than the number issued to authentic e-commerce platforms.


"Ultimately, we should expect even more malicious lookalike websites designed for social engineering to pop up in the future," Xie says. "In order to protect themselves, enterprises need effective means to discover domains that have a high probability of being malicious through monitoring and analyzing certificate transparency logs."

"This way they can leverage many recent industry advances to spot high-risk certificate registrations, crippling malicious sites before they cause damage by taking away their certificates," the researcher added.

How to discover and destroy spyware on your smartphone (in pictures)

Previous and related coverage

Editorial standards