In the wild: Phony SSL certificates impersonating Google, Facebook, and iTunes

Researchers have found dozens of fake certificates impersonating the secure sections of online banks, e-commerce sites, and social networks. Google, Facebook, iTunes, and even a POP e-mail server belonging to GoDaddy are a small sample of the services affected by the fraudulent credentials, which in some cases can allow attackers to read and modify encrypted traffic passing between end users and protected servers.
The secure sockets layer (SSL) certificates don't pose much of a threat to people using a popular Web browser to visit spoofed websites, because the credentials aren't digitally signed by a trusted certificate authority, researchers from Netcraft wrote in a blog post published Wednesday. They went on to say that people accessing sensitive websites with smartphone apps or other non-browser software may not be so lucky.
They cited several reports published in the past few years that detailed fatal weaknesses in popular software that made it possible for attackers to decrypt encrypted traffic and in some cases impersonate a cryptographically authenticated server. An October 2012 academic study, for instance,uncovered critical defects in a wide-range of applications running on computers and smartphones—some from banks such as Chase and services such as AOL—that failed to check the validity of SSL certificates. A separate study found that Android apps installed on as many as 185 million devices exposed end users' online banking and social networking credentials as well as e-mail and instant-messaging content because the programs used inadequate encryption protections. A more recent report from security firm IO Active uncovered similar weaknesses in apps written for Apple's iOS platform.
"Online banking apps for mobile devices are tempting targets for man-in-the-middle attacks, as SSL certificate validation is far from trivial, and mobile applications often fall short of the standard of validation performed by web browsers," the Netcraft researchers wrote in Wednesday's report. "40 percent of iOS-based banking apps tested by IO Active are vulnerable to such attacks because they fail to validate the authenticity of SSL certificates presented by the server. 41 percent of selected Android apps were found to be vulnerable in manual tests by Leibniz University of Hannover and Philipps University of Marburg in Germany."
Many of the fake SSL certificates discovered by Netcraft were created with malicious intentions. A wildcard certificate for *.google.com suggests an attempt to spoof a variety of Google services. The fake certificate was served by a machine in Romania hosting other sites with .ro and .com domains. The phony credential claims to have been issued by America Online Root Certification Authority 42. The name closely mimics a legitimate trusted root certificate that is installed in all browsers, although it's not enough to trick them. Other fraudulent credentials masqueraded as certificates for Facebook, iTunes, and a payment service and bank located in Russia.
Yet another bogus certificate covered pop.where.secureserver.net, a server address belonging to GoDaddy's POP e-mail service.
"In this case, the opportunities could be criminal (capturing mail credentials, issuing password resets, stealing sensitive data) or even state spying, although it is unexpected to see such a certificate being offered via a website," the Netcraft report stated. "Although the actual intentions are unknown, it is worth noting that many mail clients allow certificate errors to be ignored either temporarily or permanently, and some users may be accustomed to dismissing such warnings."
Fortunately, many of the most popular apps—such as those for Twitter, Facebook, Google, and others—use a technique known as certificate pinning that automatically rejects connections from sites that offer bogus SSL certificates. And as already stated, major browsers will offer scary warnings when encountering unsigned credentials. But given the large number of e-mail clients, smartphone apps, and other non-browser programs available, it's not a stretch to think the certificates discovered by Netcraft are fooling some people right now. You should carefully consider the source of any app that connects to an SSL-protected server before installing it, and you should never click through pop-up windows that warn of self-signed certificates.
Source