Successful certificate cybercrime obtains legit Web certificates

In a recent 3/23/2011 article entitled "Hack Obtains 9 Bogus Certificates for Prominent Websites; Traced to Iran," Wired Threat Level reports on a spectacular cyberheist of credentials on March 15. Among the accounts compromised were a partner account at certificate authority Comodo Group, which was then used to request SSL certificates for the following domains:,,,,, and ( is the Microsoft domain that handles Live Mail and that also issues Microsoft Live ID credentials, formerly known as Microsoft Passport). The attack was traced to an account in Iran, and would have allowed the attacker to set up fake web pages that web browsers would have unthinkingly and unhesitatingly accepted as the "real thing." This could have allowed attacks on those domains to redirect legitimate traffic going to those sites to a different server entirely under an attacker's control. Possibilities for such attacks are extremely broad, and could be as small-scale as a local hot spot or campus, all the way up to what Wired describes as "global hijacking of Internet routes."

Comodo CEO Melih Abdulhayoglu is paraphrased  in the Wired Threat Level report as likening this attack to the Internet equivalent of the September 11 terror attacks against the United States. He is quoted as saying

“Our own planes are being used against us in the C.A. [certificate authority] world,” Abdulhayoglu told Threat Level in an interview. “We have to up the bar and react to these new threat models. This untrusted DNS infrastructure cannot be what drives the Internet going forward. If DNS was trusted, none of this would have been an issue.”

Abdulhayoglu also observed that the attacker appeared to have been both expert and well prepared, and was obviously armed with a list of organizations for which to request certificates when the attack succeeded. The attacker also created an additional certificate for a domain under the innocuous and official sounding name of "Global Trustee." He believes this attack carries the hallmarks of state-sponsored terrorism rather than criminal activity. Abdulhayoglu also speculated that because the certificates all targeted communications organizations, attackers probably hoped to intercept and read other people's email, via subversion of the DNS structure (a hack that requires state-level access, he claims).

All of the fraudulent certificates have been revoked, and all the major browser makers, including Google, Firefox, and Microsoft, have issued updates to prevent any Websites from using those certificates. Could this be a first salvo from Iran in response to the Stuxnet worm, which has been described as possible state-sponsored attack-ware from US and/or Israel? It doesn't seem too far-fetched to us to see this as a possible tit-for-tat attack of that kind.

Stu Sjouwerman

Topics: Cybercrime, KnowBe4

Subscribe To Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews