It’s only been a month since certificate authority Let’s Encrypt opened up its beta program to offer free HTTPS certificates to the public, and hackers have already begun abusing the service to distribute malware through seemingly safe domains.
In December, security firm Trend Micro spotted users in Japan accessing a malvertising server, which hosted the Angler Exploit Kit that downloaded a banking Trojan onto affected Windows machines automatically. The Trojan allowed hackers to remotely access those systems without users’ knowledge.
The company says that the malvertisers used a technique called domain shadowing, in which attackers who have gained access to a trusted domain (such as a bank’s main website) can lead users to a server that they control and host elsewhere, while disguising their activity using a subdomain protected with a security certificate from Let’s Encrypt.
In the case Trend Micro was investigating, the attackers hosted an ad which appeared to be related to the legitimate domain.
The company says that this was possible because Let’s Encrypt only checks domains that it issues against the Google safe browsing API before issuing certificates. It doesn’t stop attackers from obtaining a certificate and creating subdomains with malware under the umbrella of a legitimate site.
According to Trend Micro’s report, the incident highlights potential issues with Let’s Encrypt’s service and urges the organization to be willing to cancel certificates if they have been misused.
We’ve contacted Let’s Encrypt to learn more and will update this post when we hear back.