15 Mar

ESSLCerts Scam

I recently had a customer ask me if the email below (from esslcerts.com) is legitimate. It most certainly isn’t and is just another bottom feeder trying to extract your hard earned cash with an unsolicited and erroneous email.

Most hosting providers who use the WHM/CPanel platform (as we do), provide their customers with a legitimate SSL certificate free of charge by way of the AutoSSL certificate service that has been integrated with WHM for some time now. Here is the scam email our customer received:

From: SSL Security <noreply@esslcerts.com>

Subject: [Expiration Notice] ############.com.au
Certificate Purpose: Blah Blah
Message Body: This message is to alert you that the Free 1-Year subscription of the SSL certificate (HTTPS) on your website is no longer valid. This means that hackers can now snoop in on your website easily. Online viruses, bad actors or competitors can steal your sensitive personal information as well as your customers’ registration data for malicious purposes.

Further, an invalid or expired SSL also infringes GDPR (General Data Protection Regulation; effective May 25, 2018). Article 32 of GDPR requires that regulated information must be protected with appropriate technical and organizational measures, including encryption of personal data and the ability to ensure the ongoing confidentiality of systems and services.

As a result of this, Google has also started to mark all connections to your website as “insecure”. You can check this by looking at the security status (to the left of the web address) of your website in any web browser. You will see that there is no Green PADLOCK visible next to your web address.

To fix this problem, you are required to re-deploy an SSL certificate on your website now:

This will encrypt data and secure all connections on your website. The digital certificate will be emailed to you within minutes after verification.

WARNING: Your website may stop functioning securely within 72 hours if it is reported as a malicious website, as a result of hosting insecure content. For more information see part 7.2P of our service agreement. We can not be held liable for any financial or technical losses resulting from this.

The email is quite well written and I’m sure many people have been caught by this scam.