The certificates are used to make users believe that they are on the right website when they are not, allowing attackers to perform Man-in-the-Middle attacks and, thusly, be able to get all the information sent and received by the users and the sites, with both the users and the companies being none the wiser.
As explained by security analyst Paul Mutton:
The fake certificates bear common names which match the hostnames of their targets (e.g. www.facebook.com). As the certificates are not signed by trusted certificate authorities, none will be regarded as valid by mainstream web browser software; however, an increasing amount of online banking traffic now originates from apps and other non-browser software which may fail to adequately check the validity of SSL certificates.
Fake certificates alone are not enough to allow an attacker to carry out a man-in-the-middle attack. He would also need to be in a position to eavesdrop the network traffic flowing between the victim's mobile device and the servers it communicates with. In practice, this means that an attacker would need to share a network and internet connection with the victim, or would need to have access to some system on the internet between the victim and the server. Setting up a rogue wireless access point is one of the easiest ways for an individual to carry out such attacks, as the attacker can easily monitor all network traffic as well as influence the results of DNS lookups (for example, making www.examplebank.com resolve to an IP address under his control).
Online banking apps for mobile devices are notoriously bad at SSL certificate validation, and as Mutton points out, "both apps and browsers may also be vulnerable if a user can be tricked into installing rogue root certificates through social engineering or malware attacks."
Among the fake SSL certificates they have discovered was one used to "legitimize" a Facebook phishing page served from a server in Ukraine; one "wildcard" certificate served from a machine in Romania and possibly used to impersonate a variety of Google services; one to impersonate a large Russian bank and one to mimic a Russian payment services provider; one to imitate Apple iTunes.
It's interesting to note that they have also found a phony certificate used to impersonate GoDaddy's POP mail server. "In this case, the opportunities could be criminal (capturing mail credentials, issuing password resets, stealing sensitive data) or even state spying, although it is unexpected to see such a certificate being offered via a website," Mutton pointed out.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.