Let’s Encrypt Issued Over 15,000 PayPal SSL Certificates to Phishing Sites

Internet users have a difficult time protecting themselves from phishing attacks these days. Although most of these spam messages are filtered by email service providers automatically, some of the messages get through regardless. The fact that PayPal phishing sites have a legitimate SSL certificate issued by Let’s Encrypt is not helping matters either.

Even PayPal Phishing Sites Have SSL Certificates

When it comes to mimicking a legitimate website, it is of the utmost importance to ensure the phishing platform has its own SSL certificate. Some people would think it is impossible for phishing sites to have an SSL certificate, but that is not the case. In fact, ever since Let’s Encrypt started issuing legitimate certificates, cyber criminals have started taking advantage of this opportunity.

To be more specific, Let’s Encrypt has issued over 15,000 PayPal certificates to phishing sites over the past few months. That means there are over 15,000 PayPal clones out there, all of which are designed to steal login credentials and payment information. It is evident criminals feel PayPal is still a very lucrative target, considering it is the largest online payment processor in the world today.

Industry experts have asked Let’s Encrypt to stop issuing any SSL certificate related to the term “PayPal“. For now, these requests have fallen on deaf ears, even though it seems evident why this is causing problems in the first place. To make matters worse, it is still possible to receive a PayPal-esque SSL certificate from Let’s Encrypt to this very day. Solving this problem will require a lot more effort from the Let’s Encrypt team, that much is certain.

There is no reason for SSL certificate issuers to make life easier for cyber criminals involved in phishing campaigns. While this issue affects all platforms other than PayPal as well, it is evident this particular platform is of great value to criminals. Moreover, it also goes to show PayPal users can expect a lot more phishing campaigns coming their way in the future.  That is not a positive development by any means.

Let’s Encrypt has a bit of habit of choosing the “hands-off approach” when it comes to revoking existing certificates. Even though there is plenty of reasons to revoke all of the fake PayPal certificates, the company seemingly has no plans to do so anytime soon. Unfortunately, that means a lot of innocent PayPal users will fall victim to these phishing attacks, resulting in potential financial damages.

The bigger question is who bears the responsibility for facilitating PayPal phishing attacks. It is true certificate issuers are not capable of running anti-fishing operations, yet that does not mean they are innocent either. Simply blocking any PayPal certificate request is not the right course of action, as it would “prevent legitimate use”, according to Let’s Encrypts Josh Aas. Consumers need to be very cautious when receiving emails from PayPal these days, that much is evident.

If you liked this article, follow us on Twitter @themerklenews and make sure to subscribe to our newsletter to receive the latest bitcoin, cryptocurrency, and technology news.