Spoofed PayPal E-mail using SSL Cert

Today I received a spoofed E-mail looking like a PayPal receipt

Among all the non-working links is one that is labeled

Resolution Center

It redirects via a BitLy link to


This site is using a signed cert from Lets Encrypt that makes it look almost legitimate

This is clearly a spoof // Phishing site that is using the SSL signing to hide behind to make it look more legitimate and if someone does put there real PayPal accoiunt in they will get hijacked.

If there would be a way to revoke their SSL cert from this site it will reduce the legitimate look of the fake site

No it doesn't.

It just tells the user the connection between him/her and this spoofing site is secure. Nothing more, nothing less.

You can report a certificate that is being used to conduct fraud:

1 Like

Well, it might, if browsers checked revocation information--but they generally don't. However, browsers these days typically highlight the domain name. If you click on the link, you'll see that "com-security-login-account.com" is in black text in the address bar, while the rest of the URL is in gray. That's the purpose--to show you what domain you're actually visiting.

But even so, I'm a little surprised that the cert was issued, as I thought Let's Encrypt had some blocking mechanisms that would have prevented it. @cpu? @jsha?

Let’s Encrypt uses Google’s Safe Browsing API to check if the domain a certificate is request for is known to be malicious. If that’s the case, issuance is blocked. This check is only performed during issuance; there’s no automatic revocation if the domain gets added later on (though renewal will be blocked).

There’s a blacklist for high-profile domains (like paypal.com), but that is more of a defense-in-depth mechanism for potential domain validation vulnerabilities. AFAIK the blacklist consists mostly of *.<blacklisted-label>.<tld> rules, i.e. something like paypal.com, paypal.io, www.paypal.com would be blocked, but paypal.com.example.com wouldn’t.

For some more details about Let’s Encrypt’s stance on phishing, see this blog post.


That’s the part I was thinking of, but wasn’t aware it worked that way. Though I suppose it makes sense–you should be able to get paypal-sucks.com, for example, without an issue, even if it does contain “paypal.”

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.