Content, Breach

Study: Counterfeit Digital Signing Certificates Bring Big Money on Dark Web


Bogus U.S. passports and stolen credit cards command top dollar on the Dark Web but right there with them is the $1,200 that stolen digital code signing certificates can deliver. What’s the big deal? The thriving trade for illicit certificates clouds the whole Internet authentication system, that’s all.

A new, six-month study sponsored by Venafi, a machine identity and access management specialist, conducted by the Cyber Security Research Institute (CSRI), revealed the vitality of the underground market for code signing certificates, the authors said.

Here’s all you need to know about the study’s findings:

  • For $1,200 a piece on the Dark Web, you can have: One fake U.S. passport, two handguns, six fake drivers’ licenses, 12 targeted email account hacks, 48 targeted DDoS attacks or 320 stolen credit cards. Or, one code signing certificate.
  • Certificates as an attack surface is growing: 2016 saw an 86 percent spike in certificate use. A 35 percent climb is expected for 2017. The 30 billion connected devices the IoT is forecast to spawn will need keys and certificates, making for an even juicier target.

Stolen code signing certificates can open a lot of doors for hackers: They’re used to verify the authenticity and integrity of computer applications and software and a key part of Internet and enterprise security. A compromised code signing certificate enables an attacker to perform man-in-the-middle attacks, hide in encrypted traffic, install malware, withdraw sensitive data, spoof trusted websites, escalate privileges and other malicious activities.

“With stolen code signing certificates, it’s nearly impossible for organizations to detect malicious software,” said Kevin Bocek, Venafi chief security strategist. “Any cyber criminal can use them to make malware, ransomware, and even kinetic attacks trusted and effective.”

The resale value of code signing certificates doesn’t erode quickly, Bocek said, making them cash cows for hackers and Dark Web merchants because they can exchange hands many times.

It’s no secret that hackers have long coveted code signing certificates as a malware distribution tool, said Peter Warren, CSRI chairman. But proof of a substantial criminal market for certificates “throws our whole authentication system for the Internet into doubt and points to an urgent need for the deployment of technology systems to counter the misuse of digital certificates.”

The Venafi/CSRI research couldn’t confirm similar demand for TLS, VPN and SSH keys and certificates, Warren said, but he suspects it exists alongside sales for code signing certificates.

A separate study by a team of University of Maryland researchers pointed to a higher number of digitally signed malware than previously known, Hacker News reported. Of 325 signed malware samples examined, some 42 percent had malformed digital signatures. "Simply copying an Authenticode signature from a legitimate sample to an unsigned malware sample may help the malware bypass detection," the researchers reportedly said.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.