User Tools

Site Tools


certificate_monitoring

What is certificate monitoring about?

Many certificate services automatically issues domain-validated (DV) certificates to websites by checking the URL's phishing status against the Google Safe Browsing API. Once issued, the issuer does not monitor the certificates or take any action afterward. Even if Google later flags the domain as malicious, the issuer will not revoke certificates. As a result, many phishing websites are secured with SSL certificates, spoofing the legitimate clients name. By monitoring the certificate logs, you can detect if your organizations name gets spoofed on SSL certificates. The reason why this is possible is that the issuer submits all of the certificates into a certificate transparency log. This is a mechanism designed to increase public transparency into the activities of CAs. The logs can be accessed by Kaduu.

What is a certificate transperency log?

Certificate Transparency (CT) logs are public, append-only logs that are used to record the issuance of SSL/TLS certificates. These logs are designed to improve the transparency and accountability of the certificate issuance process by making it possible for anyone to view the information that is recorded in the logs.

  • CT logs are used to record the issuance of SSL/TLS certificates, including the domain name that the certificate was issued for, the identity of the issuing certificate authority (CA), and the public key of the certificate.
  • CT logs are publicly accessible, and anyone can view the information that is recorded in them. This allows anyone to verify that a certificate was issued by a trusted CA and that it has not been tampered with.
  • CT logs provide a way to detect and revoke misissued certificates, and this makes it more difficult for attackers to obtain fraudulent certificates.
  • CT logs can be used to monitor the issuance of certificates in real-time, and this allows organizations to detect and respond to potential security threats more quickly.
  • CT logs are an important part of the certificate issuance process, and they are required by modern browsers such as Google Chrome, Mozilla Firefox, and Microsoft Edge, as well as other industry standards.
  • There are multiple CT logs operated by different organizations, but all of them are expected to follow the same CT log standard, to ensure consistency and interoperability between them.

What is the benefit of this monitoring?

You can prevent social engineering and phishing attacks by detecting malicious websites as they are being created. Many hackers secure their phishing websites with SSL, for example, in order to make the user believe that the site is trustworthy and secure. As soon as we recognize the name of the organization to be monitored in the certificate, an alarm is triggered. a hacker could create a fake e_banking site, for example. Let's assume the original domain of the attacked bank is https://ebanking365.com. The hacker could now create a website with the login https://ebanking365.webhosting.ru. As long as you monitor "ebanking365" as a search term, you will be notified when this certificate is created.

What should you do if you receive an alert?

First of all, you need to evaluate whether the website is legitimate or not. One should resolve the IP address of the server ("ping ebanking365.webhosting.ru") and clarify whether the domain or website was created by one's own organization. If not, go through the following steps:

Report the website to the following organisations: phishing-report@us-cert.gov report@phishing.gov.uk reportphishing@apwg.org reportphishing@antiphishing.org phish@phishtank.com https://www.europol.europa.eu/report-a-crime/report-cybercrime-online

Copy the malicious URL of the phishing site and use it to report to the following anti phishing services Google: https://www.google.com/safebrowsing/report_phish/?hl=en Symantec: https://submit.symantec.com/antifraud/phish.cgi Eset: http://phishing.eset.com/report PhishTank: https://www.phishtank.com/ Microsoft: https://support.microsoft.com/en-us/kb/930167 Netcraft: http://toolbar.netcraft.com/report_url

Use the web based tools like https://whois.domaintools.com/ to look up the domain and take note of the details. Specifically look for Name Servers, Registrant & Registrar & Abuse contacts

For malicious domains, contact the hosting service and the domain registry to notify them of the scam, requesting that they take action to suspend the account or take it offline. Often this email is sent to abuse@. Follow up with a phone call to both the hosting service and the domain registry with the request

How does certificate monitoring differ from domain monitoring?

We take the above example: If the organization to be monitored has https://ebanking365.com as a website, domain monitoring can find all misspellings or domains that have ebanking365 in the main domain. But if a hacker uses a subdomain and e.g. replaces the "www" with ebanking365 (https://ebanking365.webhosting.ru.), this cannot be detected with domain monitoring, but with certificate monitoring if the hacker secures the website with SSL.

What CA's do we monitor?

We monitor all common CA's. Here are some examples:

  • cPanel, Inc. Certification Authority,
  • LetsEncrypt,
  • Cloudflare, Inc,
  • Sectigo Limited,
  • GlobalSign nv-sa,
  • DigiCert Inc,
  • Google Trust Services LLC,
  • ZeroSSL RSA Domain Secure Site CA,
  • Amazon,
  • Unizeto Technologies S.A,
  • Go Daddy Secure Certificate Authority,
  • Microsoft Azure TLS Issuing CA 02,
  • TWCA Secure SSL Certification Authority,
  • Sectigo RSA Domain Validation Secure Server CA

How does it work?

Setting up certificate monitoring is very simple. Navigate to the expert menu and click on certificates. You can enter a search term like "bank". Kaduu will show you all the results that contain the word "bank". If you want to get notified about new certificates containing the same word, you can go to alerts and setup your alert.

certificate_monitoring.txt · Last modified: 2023/05/22 20:40 (external edit)