More than 14,000 SSL certificates have been issued to PayPay phishing sites, providing them with a veneer of authenticity behind which they can scam potential dupes.
That is according to research from The SSL Store, part of security software company Rapid Web Services.
Earlier this month Vincent Lynch, the SSL Store's encryption expert, called on free open certificate authority Let's Encrypt to stop issuing certificates with the word ‘PayPal'. He said that certificates containing the term were being "pervasively abused", and that the continued issuance of the certificates "posed a danger to the web by bestowing legitimacy to phishing sites".
It had found that Let's Encrypt had already issued nearly 1,000 certificates containing the term ‘PayPal', and that more than 99 per cent of which were intended for phishing sites.
Now, the SSL Store has researched its own claim further and found that it was a major underestimate. It claims that Let's Encrypt has actually issued 15,270 ‘PayPal' certificates - more than ten times larger than previous estimates.
It said that the majority of this issuance had occurred since November 2016, and that Let's Encrypt was issuing nearly 100 ‘PayPal' certificates per day since then.
Based on a random sample, the SSL Store said that 96.7 per cent of these certificates were intended for use on phishing sites.
The concern from the SSL Store is that many phishing sites will be using a SSL certificate and HTTPS configuration, and that users will misconstrue this as a legitimate site.
As well as PayPal phishing, other targets include Bank of America, Apple IDs and Google. Lynch said that Let's Encrypt had issued thousands more of these certificates.
"The new data clearly shows that use of HTTPS on phishing sites is significantly higher than previously thought," he said.
While the fake websites will usually be spotted and taken down within a couple of days, this is often enough time for phishers to do some damage.
According to Ilia Kolochenko, CEO of web security company High-Tech Bridge, Let's Encrypt's is doing a good job in its mission to globally concert plaintext HTTP traffic to encrypted HTTPS traffic.
However, he believes that the company "should have foreseen massive abuse by phishers".
"[Let's Encrypt] should implement at least some basic security verifications, such as refusing SSL certificates for domains that contain popular brand names inside," he said.
But Kolochenko believes that web browsers marking any HTTPS website as secure is more responsible for increasing problem with phishing.
"Web browsers encourage users to blindly trust the HTTPS websites' security without any justifiable reason, failing to mention that it's only about channel encryption and almost nothing about website trustworthiness or web application security," he said, emphasising that it was now difficult to determine whose carelessness contributed more to the increase of phishing campaigns.
Kolochenko also questions whether it is reasonable to encrypt all web traffic, as he believes it allows malware to easily bypass various security mechanisms more efficiently, causing huge damage to end users and companies.
"I am quite sure that if we will see how many of Let's Encrypt SSL certificates are used by malware to exfiltrate stolen data - results will be pretty scary. Therefore, it's difficult to predict how Let's Encrypt will shape its growth strategy in the future to preclude cybercriminals from abusing its desire to make the web safer," he said.