TLS certificates, both individually and packaged with a wide range of crimeware, are increasingly being sold on the dark web.
The first findings from an academic study on the accessibility of TLS certificates on the dark web were published by Venafi, a Utah-based cybersecurity company offering identity protection.
The study found that while SSL/TLS certificates are very important in order to protect user privacy and enhance digital trust and security, they are also a high-demand market for users on the dark web.
SSL/TLS certificates are a valuable item in the cybercrime system, and they are usually used by threat actors for different activities such as eavesdropping on traffic, spoofing websites, setting up fraudulent ecommerce sites and stealing data.
Notably, the rise in demand of SSL/TLS certificates comes at a period when the sale of zero-day exploits are on the decline.
The Report's Findings
Researchers from the University of Surrey in the U.K. and from Georgia State University's School of Policy Studies and Evidence-based Cybersecurity Research Group wrote the report on TLS certificates.
In the , the researchers analyzed 17 websites on the I2P network and 60 marketplaces on the Tor network in order to collect data on SSL/TLS certificates.
The prices of the SSL/TLS certificates start from $260 and go all the way up to $1,600. The worth is determined by the scope of bundled services and the type offered.
There is even a case of a seller offering certificates from well-respected authorities for $2,000 in a bundle with fake documentation which allows the attackers to present themselves as trusted U.K. or U.S. companies.
Researchers found five darknet marketplaces that offered a supply of SSL/TLS certificates.
They stated that the sale of this category of products is a specialization of some of the marketplaces.
The five marketplaces that were studied- Wall Street Market, Dream Market, Nightmare Market, Galaxy3 and BlackBooth-included a large number of offers for SSL/TLS certificates and related services.
Searching for SSL led to almost 3,000 results, while the term "zero-day" only yielded 151 results and "ransomware" returned 531 results.
The offers on the marketplaces vary, some offer "aged domains," while others offer the integration with valid payment processors like Stripe, PayPal and Square, along with post-sale support for their customers.
The Conclusion
The research confirms the uncontrolled sale of SSL/TLS certificates on the dark web, which is used in by hackers and fraudsters in order to avoid detection and organize more sophisticated attacks.
Georgia State University's Dr. David Maimon, security researcher and author of the report, said that the findings of the study were surprising for the researchers-particularly how easy it was to acquire this type of information.
The study presents evidence that confirms the existence of several sources offering SSL/TLS certificates, especially the presence of sellers that promise to issue certificates for U.K. and U.S. companies for less than $2,000.
Kevin Bocek, the vice president of security and threat intelligence at Venafi, also said in the announcement of the study that hackers are selling SSL/TLS certificates and that they are being weaponized effectively.
The certificates that act as trusted machine identities are an important asset to cybercriminal toolkits.
