The Use of Counterfeit Code Signing Certificates Is on the Rise

Organizations use the certificates to authenticate their software and protect it against tampering.

By Andrei Barysevich, Recorded Future

Key Judgements

We observed the earliest use of stolen code certificates in 2011, but it was not until 2015 that code signing certificates became widely available in the criminal underground.

Insikt Group identified four well-known vendors of such products since 2011; only two vendors are currently soliciting their services to Russian-speaking hackers.

The most affordable version of a code signing certificate costs $299, but the most comprehensive Extended Validation (EV) certificate with a SmartScreen reputation rating is listed for $1,599. The starting price of a domain name registration with EV SSL certificate is $349.

All certificates are issued by reputable companies, such as Comodo, Thawte, and Symantec, and have proved to be extremely effective in malware obfuscation. We believe that legitimate business owners are unaware that their data was used in the illicit activities.

Network security appliances performing deep packet inspection become less effective when legitimate (legitimate certificate) SSL/TLS traffic is initiated by a malicious implant. Netflow (packet headers) analysis is an important control toward reducing risk, as host-based controls may also be rendered ineffective by legitimate code signing certificates.

 Click here to download the analysis as a PDF.

Please leave us a comment

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s