A netcraft report highlights that both Let’s Encrypt and Comodo have been issuing thousands of domains that in some form or the other contain the words “apple”, “paypal” or “ebay” in them, and that virtually all of these domains are being used for phishing or other fraudulent activities.
Netcraft provides a metric called “Deceptive Domain Score“, and uses the opportunity to promote this service of theirs, requesting that certificate authorities implement a similar service.
In each of these examples above — and in the other statistics referenced above — the certificate authority had sight of the whole hostname that was blocked. These examples did not rely on wildcard certificates to carry out their deception. In particular, some of these examples (such as update.wellsfargo.com.casaecologica.cl) demonstrate that the certificate authority was better placed to prevent misuse than the domain registrar (who would have seen casaecologica.cl upon registration).
The two services are attractive to phishers, because they offer TLS certificates for free and through an API, with a very limited screening process. Both services are using the Safe Browsing API to check if the domain being certified does contain malware, but because it usually does not at the time the cert is being issued this is pointless. Netcraft would rather have the CAs buy their Deceptive Domain Scoring service instead.