UPDATED! An analysis of counterfeit code signing certificates found that while usage is rising, the amount being charged by the malicious vendors is currently high enough from stopping the service from going mainstream.
Recorded Future noted in its study of this methodology that luckily the greediness is proving to be a saving grace because these faked certificates are not only disguised to look as if they were issued by legitimate firms like Symantec and Comodo, but are also highly effective at sneaking through security measures. Recorded Future's Insikt Group found only two groups now operating and they are only selling their services to Russian speaking hackers.
“Contrary to a common belief that the security certificates circulating in the criminal underground are stolen from legitimate owners prior to being used in nefarious campaigns, we confirmed with a high degree of certainty that the certificates are created for a specific buyer per request only and are registered using stolen corporate identities, making traditional network security appliances less effective,” the study stated.
Prices presented by Recorded Future from the two groups range from $299 for a regular type, basic trust certificate with no SmartScreen reputation labeled as from Comodo to $1,799 for an EV SSL with EV code signing. In all cases the end product, which is custom made for each buyer, would be complete within two to five business days.
All the fake certificates are registered using the information from real corporations.
Insikt found that only a few antivirus products were able to spot the code signed certificates.
The final take away noted is that these fake certificate providers are pricing themselves out of reach from all but the most deep-pocketed criminals.
"Hacked code-signing certificates certainly present an extended challenge to IT security teams, and are a potentially effective tactic to bypass traditional security appliances. Humans cannot keep pace with the number of threats and feeds out there, so flagging what appears to be legitimate risk becomes an impossible ask. This is where AI and deep learning can be leveraged to augment and enhance the capacity and ability of human threat analysts," Manoj Asnani, VP Product and Design, Balbix told SC Media.