Fraudulent web certificates detected by Microsoft, as provider Comodo points the finger at an Iranian state-driven attack

News by Dan Raywood

Microsoft has warned of nine fraudulent digital certificates that affect websites including Google, Yahoo and Skype.

Microsoft has warned of nine fraudulent digital certificates that affect websites including Google, Yahoo and Skype.

In an advisory, certification provider Comodo reported to Microsoft last week that nine certificates had been signed on behalf of a third party without sufficiently validating its identity. Microsoft warned that these certificates may be used to spoof content, perform phishing attacks or perform man-in-the-middle attacks against all web browser users.

Comodo reported the attack, claiming that a registration authority (RA) was attacked that resulted in a breach of one user account of that specific RA. This was then fraudulently used to issue the nine certificates across seven different domains.

It also confirmed that its infrastructure was not compromised, neither were the keys in its hardware security modules or any other RA or RA user accounts.

Comodo said: “One user account in one RA was compromised. The attacker created himself a new user ID (with a new username and password) on the compromised user account.

“The attacker was well prepared and knew in advance what he was to try to achieve.  He seemed to have a list of targets that he knew he wanted to obtain certificates for, was able quickly to generate the CSRs for these certificates and submit the orders to our system so that the certificates would be produced and made available to him.

“Although they requested nine certificates, we do not know if they received all of these certificates. We know that they definitely received one of the certificates and all certificates were revoked immediately on discovery.”

Comodo also confirmed that it immediately got in touch with the principal browsers and domain owners and alerted them to what had happened. The RA account in question has been suspended, pending on-going forensic investigation.

In conclusion, Comodo said that the attack came from several IP addresses, but mainly from Iran. “As the Iranian government has recently attacked other encrypted methods of communication this leads us to one conclusion: that this was likely to be a state-driven attack,” it said.

Mikko Hypponen, chief research officer of F-Secure, said: “What can you do with such a certificate? Well, if you are a government and able to control internet routing within your country, you can reroute all Skype users to a fake domain and collect their usernames and passwords, regardless of the SSL encryption seemingly in place. Or you can read their email when they go to Yahoo, Gmail or Hotmail. Even most would not notice this was going on.”

Andrew Storms, director of security operations at nCircle, said: “Anytime a major authority is the subject of a breach, users begin to second guess the trust they put into these organisations. This breach should definitely make users nervous.

“No doubt Comodo's attackers have a plan; they went after certificates for email services on all of the biggest brands on the web. Obviously, they are hoping to lure people into traps so they can capture their email login credentials.

“Comodo's suggestions that the attack may have originated from Iran are hard to verify at this point. If the attack turns out to be state sponsored from Iran, then one of the goals for these fake certificates may be access to the email accounts of political dissidents.

“There will be a lot of critical people watching to see how Comodo responds as this incident unfolds. The security community in particular will demand a lot of transparency in order to rebuild their trust in Comodo.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews