Certificates-as-a-Service? Code Signing Certs Become Popular Cybercrime Commodity

The fraud underground is a vivid dark market replete with services, commodities and information sharing, providing cybercriminals with just about any help they may need for their misdoings.

Alongside the usual malware vendors and fraud scam chatter, one recent phenomenon IBM Security X-Force researchers have been tracking is certificates-as-a-service (CaaS). Cybercriminals obtain high-grade code signing certificates from trusted cert authorities and then sell them on demand through Dark Web e-commerce sites to anyone who will pay.

IBM Security X-Force researchers note seeing a considerable hike in the sale of code signing certificates in the underground in the past few months. Further investigation of this phenomenon reveals findings that add to the understanding of why the use of signed malware has increased threefold in the past four years alone. They also provide some best practices on how to check that certificates can be trusted at a time when trust is increasingly fragile.

A Bit About Certificates

Code signing certificates are files containing a digital signature that can be used to sign files such as executables and scripts. Certificates were created to generate trust and validation in software or code that you run on your machine. They are there to indicate:

·         This file came from a trusted source.

·         This file was not tampered with before you received it.

·         This file’s origin is openly known to you, and you can validate its creator.

Certificates are issued by certification authorities (CAs) and come in different grades according to the entity that issues them. They are granted to identifiable entities, or companies, that generate code, protocols or software, allowing them to sign their code and indicate it is legitimate and original.

While in the past certificates were issued only to large software vendors, today smaller firms and individual application developers use them, as well. Reports on the subject show that the sheer number of certificates in circulation has increased from about 20,000 in 2007 to over 150,000 certificates in 2015.

Some examples of the most well-known CAs that issue certificates are Symantec and WebTrust. These authorities issue Class 1 certificates, which are considered the most trusted. There are also Class 2 CAs that issue certificates for commercial purposes, such as GoDaddy, DigiCert, Comodo, Entrust and others.

Beyond basic certification, in cases where a heightened level of security is needed, a digital certificate issued by one CA is used to sign the public key for the root certificate of another CA. This is termed cross-certification, and it provides a means to create a chain of trust from a single trusted root CA to multiple other CAs.

Why Do Certificates Matter?

Read our research and more of this article here