Phishing Using Let's Encrypt

14,766 Let's Encrypt SSL Certificates Issued to PayPal Phishing Sites

I see this like any other technological advance. People start driving cars? So do criminals. But until mass production, some tech has lower market accessibility. The fact that it went from costing money to gratis is just accessibility like buying cosmoastronaut ice cream at the science museum gift shop; eventually at that food becomes a fad or in some other speciality store.

However, the one thing that makes this different, is that unlike registering your car VIN, plate number, or driver license, these fraud paypal websites literally have "paypal" etc in the name of the domain. All Let's Encrypt has done is to expose a major flaw at or downstream in the issuance of domain names. Not that I suggest outlawing strings; someone might well register "reasons-to-not-use-paypal.com". The problem comes from domains such as "yes-definitely-paypal.com". But again, you can search for it. 35000 fake paypal domains with LE certs in two years turns into about 100 per day, mean, or from the graphic, 5101 in Feb 2017, or roughly 182.

Totally manageable with a two person team.

  • Task, temporarily, a human on manually checking.
  • Task another human to automate as much of the work as possible. Either just dumb string search flags or AI assistance.
Category
Tags
pelican ities pop baffin publishing chinuk-wawa safety Norræn goðafræði dagbog iceland vegan phone software engineering news television mobile freedom hosting movies games diy greenlanders security software