Over 14,000 SSL Certificates issued to PayPal phishing sites

[Reflective]

There appears to be a CA out there called Let's Encrypt issuing SSL certificates for free, no questions asked. This means the good old lock symbol is no longer trustworthy and it's likely that quite a few users who take the lock symbol to mean that a site is trustworthy are going to be taken to the cleaners. Here's the story on that one: https://www.thesslstore.com/blog/lets-encrypt-phishing/

Now it just so happens that I read that article just before deciding to login to the Singapore Airlines site to check my upcoming flight. Singapore as you probably know is just a city state about the size of LA with 1 in 15 of its residents a millionaire. So I was a bit surprised to get a popup from Malwarebytes to tell me the SIA site had been blocked even though it had a lock symbol with the usual https:// visible in the URL. Here's a screenshot of it. https://i.imgur.com/WMhUi3s.png

Not much on the web for the domain called ckm.iqiyi.com but when I used Nirsoft's IPNetInfo tool to track down the IP address, it turned out to be located in China. Here's a screenie of that: https://i.imgur.com/iDuWuXt.png

So China is only 5 hours flying time from Singapore, but why would the country's flag carrier choose to host their site in China when there are many hosting companies located in their own country. After all, SIA isn't exactly a destitute airline scrambling for passengers and tends to upgrade its aircraft every five years. I decided to ping their site, but that resulted in an entirely different IP.

Next stop was a WHOIS site. As you can see from this one there's no mention of ckm.iqiyi.com anywhere.

So given the Malwarebytes red flag I'm inclined to take the view that their site has been compromised. I've sent them an email requesting feedback so I'll update this thread when it arrives. In the meantime folks check out any sites you have to login to even if you see the trusted green lock symbol.

[kreemoweet]

The lock symbol has never meant a site was "trustworthy", unless it indicated an Extended Validation certificate, and even then the further validation
steps were rudimentary. It just meant the connection data was encrypted, and the other end could very well be heinous evildoers.

[Reflective]

The lock symbol has never meant a site was "trustworthy", unless it indicated an Extended Validation certificate, and even then the further validation
steps were rudimentary. It just meant the connection data was encrypted, and the other end could very well be heinous evildoers.

The problem is that if users click the green padlock on an https:// site they'll see a message that the connection is secure. Most users will equate "secure" with "trustworthy" even though as you quite rightly say, the padlock is only an indication that data is encrypted.

Also, although most non-techies won't know how to query it digital certificates can be checked for sites which are encrypted.

The "Let's Encrypt" CA controversy which allows phishing and other malicious sites to apply for a genuine SSL certificate rather than having to hijack one adds a new dimension to the equation.

[rsx11m]

It is always good practice to check the certificate if you connect to a site which keeps or asks for sensitive information. Obviously, the CA may be a weak link here if certificates are compromised or issued to malicious players. If you connect to a banking site and see "Let's encrypt" being the CA, more than a good reason to get suspicious and perform other steps as you have done to verify a site's authenticity and origin (though outsourcing and "clouding" of services may be making this increasingly difficult). In the end, it's up to you whether or not to trust a site...

[Grumpus]

Might want to look at this Fireball Adware as it may be related in mechanics and cert phishing.