Experts Explain How Wildcard Certificates Are Being Abused for Phishing Attacks


Phishing is one of the most common and most successful attack vectors and it probably will remain so for some time. However, cybercriminals often abuse various legitimate technologies to make their operations more effective.

A perfect example is wildcard certificates, public key certificates used by all the subdomains within a larger domain.

On one hand, wildcard certificates are useful for system administrators because they don’t have to worry about managing different certificates on each subdomain. On the other hand, the use of wildcard certificates from a security standpoint increases the risks of a web server being abused for phishing campaigns.

For cybercriminals, coming across a vulnerable server that uses wildcard certificates is like finding a goldmine. That’s because any subdomain they create on the webserver uses the same digital certificate as the other, legitimate subdomains.

Cybercriminals can create a new subdomain on the compromised webserver and set up their phishing page on it. Users are more likely to hand over their credentials and other sensitive information because the page is protected by an HTTPS connection, which makes it look more legitimate.

A perfect example is the PayPal phishing page hosted on a secure portal of the Malaysian Police.

By stealing a wildcard certificate’s private key, an attacker can impersonate any domain for the certificate. Private keys can be obtained with malware such as the one used in the recently uncovered Mask campaign.

Cybercriminals can also obtain wildcard certificates by tricking a certificate authority into issuing one for a fictitious company.

So what can organizations do to protect their webservers from being abused in such a manner?

First of all, the use of wildcard certificates should be avoided to make it more costly for an attacker to consider targeting the organization. Wildcard certificates should particularly be avoided on public-facing production systems.

In addition, security controls and solutions can make your networks more difficult to exploit.

“By putting these defenses in place, you increase the effort that a malicious actor must take to compromise your network. Your goal is to make compromising your network so expensive that cyber-criminals would rather focus their attention on someone else,” noted Gavin Hill, director of product marketing & threat intelligence at Venafi.

“As the saying goes: When a lion chases you, you don’t need to be the fastest runner; you just have to be faster than the person behind you.”

Additional details on how to protect web servers from being abused by phishers are available on Venafi’s blog. You can also check out the two-minute video that explains how cybercriminals abuse the trust in wildcard certificates for phishing attacks.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s