Wildcard Certificates

Security of online transactions, but also of all the websites that process personal data, remains very important for business owners of all verticals. Many of them rely on well-known solutions, such as SSL certificates - which became industry standard, and are now required by parties like Google, to be treated as a secure website. By complying with SSL standards, a website is indexed higher, and the SEO score rises. However, are those certificates really as secure as we all consider them to be? It turns out that improper use of this technology not only does not make the website impervious but also might make a hacker's job easier.

Is the card really so wild? 

A Wildcard Certificate, installed on a publicly accessible server, might secure our data against malicious attacks. However - it also increases the risk that cyber-criminals will use that particular server for phishing campaigns. It might sound abstract, but it really isn't. The phishing threat level is still very high in 2020. Verizon Enterprise Report shows that amongst 53.000 data security breach incidents, the third most popular method includes using Wildcard vulnerabilities. The method is based on two distinct pillars - the technological part, and the human factor. Why does the technological one matter? Because of the improper use of technology, increases the success rate for those phishing attacks.

Understanding how Wildcard certificate works

To understand why a Wildcard Certificate is not completely secure, we need to understand exactly how it works. Wildcard provides security for the internet domain, and all of its subdomains, which simplifies the website administrator’s work, substantially. However, each subdomain that is created for such a website will use the same certificate key. So anyone that has access to the domain governance, can create any subdomain on that website. Because it's secured, and the connection is established using an https protocol, it remains upright to the visitor. 

If the cybercriminals are able to penetrate our server and gain access to the domain, they might also receive privileges that will allow them to create any amount of subdomains. And all of those subdomains will be still covered by the wildcard certificate. What's even more dangerous, those subdomains will look legit and trustful, because they are verified with our certificate. Those illegal subdomains allow cybercriminals to host malicious websites that eventually can be used in phishing campaigns.

penetration testing is a key part of providing secure service

Here a question arises, how can someone be tricked with such a simple scheme? It turns out that the human factor is key to the problem. It's necessary for the success of the whole attack. According to a recent Venafi study, hackers often create this kind of subdomain where the root name of the domain is similar to the one that fits their intended target profile. It's exactly what happened a few years back, with the PayPal attack. Phishers penetrated a website of Malaysian Police, which at that time used abbreviation that looked similar to “PayPal”. It also had a longtail URL, which made most of the browsers shorten the displayed link. Having a security “padlock” icon, visual design 1:1 with the real PayPal, the subdomain was all that was needed to deprive a huge amount of people of their money. 

Keys and certificates on the black market

In the last few years, a lot of new applications were developed, which serve one single purpose - to steal keys and certificates. We can hear about attacks such as the one conducted by BlackTech Group, which has stolen certificates of a well known D-Link company. PLEAD and DRIGO were used to conduct the attack, and the stolen certificates could have been used to authorize and sign malicious software on the target computer. With increasing frequency, hacker groups steal assets of organizations, to use them as tools for more complex schemes and attacks. However, pretending to be a certified domain is one thing, and using it in a cascading plot is something much more sophisticated. In 2015 someone gained access to a live.fi domain, owned by Microsoft, and abused the access to register a fake SSL certificate  that allowed phishing an man-in-the-middle attacks on further targets.

Fake certificates make hacker’s life easier. 

Free certificates make criminals’ life even easier. Since paid certificates for the companies that are already existing are sometimes costly and complicated to get, criminals approach entities like Let’s Encrypt to get free certificates, which further reduces the costs of the attacks. Moreover, the full automatization of generating those certificates makes the process almost instant. To confirm that using certificates in illegal activities is widespread, we can check out a Venafi study that shows a staggering 85% of Let’s Encrypt certificates, to be issued for the domains that look similar to domains of renowned companies. For example - between 1st January of 2016 and 6th of March 2017, 15.000 certificates were issued, that contained “PayPal” in their name. 95% of those were used for phishing attacks.

How to remain secured? 

First of all - avoid Wildcard certificates. It will increase the running costs of our website but will lead us to full security. It will disallow hackers to use the website for criminal activity, which can lead to a dent in our brand’s vision. It's a good practice, to stick to certificates that generate new keys regularly. It's also good to secure each subdomain individually. Stay safe!