CybleBlogs-Cybersecurity Certifications for Sale-Fraud

Cybersecurity Certifications For Sale – An Open Secret

Fraudulent Certificates Puts Infosec Professionals’ credibility at risk

Professional certifications, including cybersecurity certifications, are a key indicator of qualifications and skill, thus offering a foothold into a competitive workforce. According to a 2020 Gallup poll, certifications are associated with better jobs, more career advancement opportunities, and higher job satisfaction.

However, the increasing demand for cybersecurity professionals has led to a rise in fraud in cybersecurity certifications. This can be seen in cybercrime forums and darknet marketplaces, with TAs (Threat Actors) selling exam manuals, ‘remote passing’ services where someone else takes the exams, and ‘brain dumps’: illegally obtained questions and answers.  

Our research found TAs offering these services, which affected vendors such as INE (eLearnSecurity), Offensive Security, EC-Council (ISC)², TCM Security, SANS, CompTIA, Burp Suite, and Zero Point Security, among others.

Figure 1: TA’s e-commerce site for selling illicit exam material

Figure 2: Exam subsection on a popular darknet forum

From the underground forums and groups, we found that payment methods include gift cards, Paypal, and cryptocurrency. The price band varied from USD 500 to USD 800 for practical assessments. The cost for “remote passing” an exam varied, with practical exams costing more than written ones. Some TAs included exam vouchers in their service and guaranteed “passing on first attempt”, suggesting that the cost of exam retakes may be a motivating factor for fraud.

One prolific TA offered to install a custom remote access tool while claiming to have “helped” over 100 individuals pass their exams using this method. This poses an additional long-term risk to exam takers by possibly having malware or keyloggers on their devices.

Other TAs used commercial remote access options such as AnyDesk and TeamViewer. Feedback from buyers included screenshots of certifications, some of which still contained identifying information.

Figure 3: TA shares pricing for fraudulent certifications

Figure 4.1: Two TAs offering fraudulent certifications obtained on first attempt
Figure 4.2: Two TAs offering fraudulent certifications obtained on first attempt

This activity is not limited to underground forums, as many of these accounts have taken to approaching job seekers on LinkedIn as well, under the guise of offering legitimate training services.

Figure 5: Fake LinkedIn profiles promoting fraudulent certifications

The Effects and Impact of Certification Fraud

The consequences of fraud in cybersecurity certifications affect the industry as a whole. Fraud undermines the certification system’s credibility and makes it difficult for employers to identify qualified professionals without rigorous interviews.

If the fraudsters are hired, employers discover that they may not have the skills or knowledge claimed, which can lead to underperformance at best and cyber incidents at worst.

As for the certification authorities and vendors, their intellectual property is sold by TAs, thereby draining revenue while simultaneously lowering the certifications’ value.

Effect and Impacts on the Industry, Employers, and Certifying authorities

1. Industry

  • New hires will have lower credibility regardless of the veracity of their certification
  • Truly skilled professionals will lose visibility in the job marketplace due to the saturation of the talent pool
  • Employees who depend on false credentials will struggle to catch up once hired

2. Employers

  • Employers will be more prone to costly hiring mistakes
  • Employees without the appropriate qualifications are likelier to cause or enable reputational/brand image damage to the firm

3.  Certifying authorities

  • Vendors will lose significant revenue due to intellectual property theft
  • Employees with false certifications are likely to underperform/not perform at all, leading to a loss of revenue
  • The value of certification will be diluted due to the cheating incidents

To address this issue, organizations that offer cybersecurity certifications must implement stricter measures to prevent fraud. This includes:

  • Preventing known methods of abuse (e.g., AnyDesk or similar remote desktop software) for practical exams
  • Active monitoring and takedowns of leaked material while pursuing legal action
  • Revoking cheaters’ certificates
  • Re-structuring exams to prevent passing through memorization.

As for employers, potential candidates should be interviewed with the intent to determine their current knowledge level and fit for company culture rather than depending on certifications alone as a shorthand for credibility.

Reference:

Recent Blogs

BATLoader-RATs-Stealers-OneNote

Cyble analyzes BATLoader – A sophisticated loader being utilized by Threat Actors to deliver several malware families.

Read More »
Qakbot-Microsoft-OneNote

Cyble Research & Intelligence Labs analyzes new strategies deployed by Qakbot to infect users via Microsoft OneNote.

Read More »
Scroll to Top