Comodo Inc., an issuer of secure socket layer (SSL) certificates warned customers Wednesday that it issued fraudulent certificates to seven Web domains, including search engine giants Google and Yahoo after cybercriminals compromised one of its partners.
The Jersey City, New Jersey-based company issued a statement on its website explaining that it issued nine fraudulent SSL certificates March 15 following a compromise in which an attacker obtained the username and password of one of its registration authority partners in Southern Europe. The compromise was detected within hours and the certificates were revoked immediately, the company said.
"At no time were any Comodo root keys, intermediate CAs or secure hardware compromised," the firm said in a statement. "The compromise occurred at an affiliate authorized to perform primary validation of certificate requests."
A registration authority (RA) is an authority in a network that verifies user requests for a digital certificate and tells the certificate authority (CA) to issue it. RAs are part of a public key infrastructure (PKI), which creates a secure network to exchange information and money. An attacker, identified at an IP address originating from Iran, was able to use the stolen account credentials to fraudulently authenticate their IP address and impersonate certain websites and domain servers, including a SSL certificate for an add-on update server for Mozilla Firefox.
According to Brian Trzupek, Trustwave's vice president of managed identity and SSL, "obtaining a trusted certificate for a domain not under your control only represents a small portion of the attack. Once the attacker obtains the certificate, they will need to tamper with DNS to direct traffic to the fraudulent site with the fraudulent certificate."
In a statement issued by Trustwave, which also is in the business of issuing SSL certificates, Trzupek said having control of the Mozilla Firefox add-on update server could have allowed the attacker to inject any arbitrary code they desire into the Web browser, in a trusted manner, enabling the attacker to upload malware onto a victim's machine without their knowledge.