Researchers have discovered that digital code signing certificates are being sold for more than is required to buy a gun in the web's underground mar
Researchers have discovered that digital code signing certificates are being sold for more than is required to buy a gun in the web’s underground markets.
On Tuesday, security researchers from Venafi said there is a flourishing trade in the sale of digital code signing certificates, which can be used to verify software applications.
These certificates are a fundamental way of ensuring software and apps are legitimate, but if compromised, can be used to install malware on networks and devices while avoiding detection.
“We’ve known for a number of years that cybercriminals actively seek code signing certificates to distribute malware through computers,” said Peter Warren, chairman of the CSRI. “The proof that there is now a significant criminal market for certificates throws our whole authentication system for the internet into doubt and points to an urgent need for the deployment of technology systems to counter the misuse of digital certificates.”
The six-month investigation was carried out by the CSRI in partnership with the Cyber Security Centre at the University of Hertfordshire.
“With stolen code signing certificates, it’s nearly impossible for organizations to detect malicious software,” said Kevin Bocek, chief security strategist at Venfai. “Any cybercriminal can use them to make malware, ransomware, and even kinetic attacks trusted and effective.”
“In addition, code signing certificates can be sold many times over before their value begins to diminish, making them huge money makers for hackers and dark web merchants,” the executive added. “All of this is fuelling the demand for stolen code signing certificates.”
In October, Flashpoint researchers uncovered another worrying trend in online underground marketplaces, of which remote access to PCs. Access to Windows XP desktop PCs is being sold for as little as $3, and attackers can tap into compromised Windows 10 systems for only $9.
Given this access, cyberattackers can spy on consumers and businesses without the need to compromise systems through phishing or malware campaigns.