Malvertising Campaign Used a Free Certificate From Let's Encrypt

itwbennett writes: On Wednesday, Trend Micro wrote that it discovered a cyberattack on Dec. 21 that was designed to install banking malware on computers. The cybercriminals had compromised a legitimate website and set up a subdomain that led to a server under their control, wrote Joseph Chen, a fraud researcher with Trend. The subdomain used an SSL/TLS (Secure Sockets Layer/Transport Layer Security) certificate issued by Let's Encrypt, the first large-scale project to issue free digital certificates. which is run by the ISRG (Internet Security Research Group) and is backed by Mozilla, the Electronic Frontier Foundation, Cisco, and Akamai, among others. The incident has sparked disagreement over how to deal with such abuse, writes Jeremy Kirk.

Why we cannot have nice things..

[wbr1]

The ISRG is both right and wrong. CAs cannot respond fast enough and likely do not have enough information to vet requests for new certificates fully. However, once a cert is used in bad faith it should be revoked.

The ad brokers do not care that bad ads slipped in as they make money on any, so they have zero incentive to remove malvertising other than a cursory effort to appease the lawyers and government.

This is why I install adblocks on all customer machines now (and we process a large amount). To an end user advertising of of limited utility, and comes with at minimum high annoyance and at worst malware/fraud/id theft.

Case in point, I was trying to find news information on a police standoff near my house, and one of the official local news stations ads were targeting nexus 6 with a scam 'free iPad' redirect. This only occurred on my Nexus 6, not a PC or LG phone. This is just normal day to day browsing, and I could not even read the news.

The state of affairs when it comes to online advertising and scams is very bad and will kill the industry very soon if changes are not made. Unfortunately it will likely bring down many good sites for real content with it.