Malvertising Campaign Used a Free Certificate From Let's Encrypt

itwbennett writes: On Wednesday, Trend Micro wrote that it discovered a cyberattack on Dec. 21 that was designed to install banking malware on computers. The cybercriminals had compromised a legitimate website and set up a subdomain that led to a server under their control, wrote Joseph Chen, a fraud researcher with Trend. The subdomain used an SSL/TLS (Secure Sockets Layer/Transport Layer Security) certificate issued by Let's Encrypt, the first large-scale project to issue free digital certificates. which is run by the ISRG (Internet Security Research Group) and is backed by Mozilla, the Electronic Frontier Foundation, Cisco, and Akamai, among others. The incident has sparked disagreement over how to deal with such abuse, writes Jeremy Kirk.

Why the emphasis on Lets Encrypt?

[Richard_at_work]

This style of attack would have been able to get an SSL cert from most cheap cert providers, as most of the cheap ones only require you to dump a particular file in the right place on the website for verification, so why the emphasis on "Lets Encrypt"? Because they are "cheaper than cheap"?

Malvertising is a trivially solvable problem

Why the hell do ads need to be able to run arbitrary 3rd party scripts? Give them an image, some text, etc. and they stick it in their ad format. There's no reason to let random people on the internet inject scripts from totallynotmalwarenoreally.ru into ads on the New York Times' site.

DNS

[Stephen+Chadfield]

This is just ridiculous. The problem here is that the attacker was able to create a new DNS sub-domain. The Let's Encrypt angle is just a red herring from a company (Trend Micro) that wants to make money selling SSL certificates.