A study conducted by academics discovered that SSL and TLS certificates and associated services can be easily acquired from dark web marketplaces.

A study sponsored by Venafi and conducted by researchers from Georgia State University in the U.S. and the University of Surrey in the U.K. discovered that SSL and TLS certificates and associated services can be easily acquired from dark web marketplaces.

Experts analyzed 60 marketplaces hosted by the Tor network and 17 websites on the I2P network collecting data on SSL and TLS certificates and related services.

SSL/TLS certificates are a precious commodity in cybercrime ecosystem, they are ordinarily used by threat actors for several malicious activities, including for spoofing websites, eavesdropping on traffic, stealing data, and setting up fraudulent e-commerce sites.

The study revealed that the listing of five of the marketplaces on the Tor network (Dream Market, Wall Street Market, BlockBooth, Nightmare Market and Galaxy3) includes thousands of offers for certificates and related services. Querying for SSL returned up nearly 3,000 results, while a query for “ransomware” returned 531 results and a query for “zero-day” only 161 mentions.

Researchers pointed out that some marketplaces are specialized in the sale of this category of products,

The offers are different from each other, some sellers offer “aged domains,” post-sale support for their customers and the integration with legitimate payment processors such as PayPal, Stripe, and Square.

Prices for the certificates between $260 and $1,600 with some exceptions, like the case of a seller who offers certificates from reputable certificate authorities in a bundle with fake documentation for $2,000 .

“Some underground marketplaces focus on packaging services with SSL/TLS certificates. For example, some sellers offer “aged” domains, after-sale support and integration with a range of legitimate payment processors—including Stripe, PayPal and Square.” reads the report published by Venafi.

“At least one vendor on BlockBooth promises to issue certificates from reputable certificate authorities. The seller also offers forged documentation, which allows attackers to present themselves as trusted U.S. or U.K. companies for less than $2,000.

The study confirms the rampant sale of TLS certificates on the darkweb, crooks use them in the attempt to avoid detection and to arrange more sophisticated scams.

“This project provides evidence of the existence of an online underground market for TLS certificates, specifically the presence of vendors on online underground markets that are promising to issue EV certificates for U.S. and U.K. companies for less than $2,000.” concludes the report.

Venafi plans to continue the research and keep investigating this issue.

Pierluigi Paganini

( SecurityAffairs – dark web, hacking)

Share this...

Linkedin Reddit Pinterest

Share On