Fake Digital Certificates Found in the Wild While Observing Facebook SSL Connections
Visiting a website certified with an SSL certificate doesn't mean that the website is not bogus. Secure Sockets Layer (SSL) protect the web users in two ways, it uses public key encryption to encrypt sensitive information between a user's computer and a website, such as usernames, passwords, or credit card numbers and also verify the identity of websites.

Today hackers and cyber criminals are using every tantrum to steal users' credentials and other sensitive data by injecting fake SSL certificates to the bogus websites impersonating Social media, e-commerce, and financial websites as well.

A Group of researchers, Lin-Shung Huang , Alex Ricey , Erling Ellingseny and Collin Jackson, from the Carnegie Mellon University in collaboration with Facebook have analyzed [PDF] more than 3 million SSL connections and found strong evidence that at least 6;845 (0:2%) of them were in fact tampered with forged certificates i.e. self-signed digital certificates that aren't authorized by the legitimate website owners, but will be accepted as valid by most browsers.

They utilized the widely-supported Flash Player plug-in to enable socket functionality and implemented a partial SSL handshake on our own to capture forged certificates and deployed this detection mechanism on an Alexa top 10 website, Facebook, which terminates connections through a diverse set of network operators across the world.

Generally Modern web browsers display a warning message when encountering errors during SSL certificate validation, but warning page still allows users to proceed over a potentially insecure connection.
Fake Digital Certificates Found in the Wild While Observing Facebook SSL Connections
Fake SSL connections can argue that certificate warnings are mostly caused by server mis-configurations. According to usability survey, many users actually ignore SSL certificate warnings and trusting forged certificates could make them vulnerable to the simplest SSL interception attacks.

This means that a potential hacker can successfully impersonate any website, even for secure connections i.e. HTTPS, to perform an SSL ma-in-the-middle attack in order to intercept encrypted connections.

Researchers observed most of the forged SSL certificate are using same name as original Digital Certificate issuer organizations, such as VeriSign, Comodo.

Some Antivirus software such as Bitdefender, ESET, BullGuard, Kaspersky Lab, Nordnet, DefenderPro etc., has ability to intercept/Scan SSL connection on Clients' system in order to defend their users from Fake SSL connections. These Antivirus products generate their own certificates that would be less alarming than other Self-signed digital certificates.
"One should be wary of professional attackers that might be capable of stealing the private key of the signing certificates from antivirus vendors, which may essentially allow them to spy on the antivirus users (since the antivirus root certificate would be trusted by the client)," the researchers explained. "Hypothetically, governments could also compel antivirus vendors to hand over their signing keys."
Similar capabilities are observed in various Firewall, Parental Control Software and adware software those could be compromised by hackers in order to generate valid, but fake digital certificates.

Researchers also noticed another interesting self-signed digital certificate, named as 'IopFailZeroAccessCreate', which was generated by some malware on client-end systems and using same name as trusted Certificate issuer "VeriSign Class 4 Public Primary CA."

"These variants provide clear evidence that attackers in the wild are generating certificates with forged issuer attributes, and even increased their sophistication during the time frame of our study," they said.
Fake Digital Certificates Found in the Wild While Observing Facebook SSL Connections
Detected statistics shows that the clients infected with same malware serving 'IopFailZeroAccessCreate' bogus digital certificates were widespread across 45 different countries, including Mexico, Argentina and the United States.

Malware researchers at Facebook, in collaboration with the Microsoft Security Essentials team, were able to confirm these suspicions and identify the specific malware family responsible for this attack.

Attackers may also restrict Flash-based sockets by blocking Flash socket policy traffic on port 843 or can avoid intercepting SSL connections made by the Flash Player in order to bypass detection techniques used by the researchers. To counter this, websites could possibly serve socket policy files over firewall-friendly ports (80 or 443), by multiplexing web traffic and socket policy requests on their servers.

In Addition, researchers have discussed migration techniques in the paper such as HTTP Strict Transport Security (HSTS), Public Key Pinning Extension for HTTP (HPKP), TLS Origin-Bound Certificates (TLS-OBC), Certificate Validation with Notaries and DNS-based Authentication of Named Entities (DANE), those could be used by servers to enforce HTTPS and validate digital certificates.

If you are also infected by any similar malware, please follow below given steps to remove it:
  • Check your hosts file (C:\Windows\System32\Drivers\etc\hosts) for malicious entries
  • Check your DNS (Domain Name Server) settings on system and DSL Modem
  • Verify your proxy settings on browser
  • Cross-check your installed Browser addons.
  • Install reputed Antivirus and Firewall Product and Scan for malicious files

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.