Iran implicated in Microsoft and Google attacks

gallery

Iran has been implicated in attacks aimed at sites run by tech giants including Microsoft and Google.

Last week, hackers acquired fraudulent SSL certificates to potentially spoof popular services like Hotmail and Gmail, in order to trick web users into handing over valuable information.

The certificates fraudulently issued by root certificate authority Comodo were for popular sites including login.live.com, mail.google.com, www.google.com, login.skype.com and login.yahoo.com.

On 15 March, a total of nine digital certificates were issued by Comodo, after an attacker obtained the username and password of a trusted partner and registration authority based in Southern Europe.

All the fraudulent certificates have now been revoked, but users could have been duped into handing over information to the perpetrators.

According to Comodo’s report, attacks appear to have been limited, with only one yahoo.com certificate seen live on the web. Furthermore, Microsoft said in an advisory it had not seen any “active attacks.”

Microsoft warned, however, the certificates could have been used to “spoof content, perform phishing attacks, or perform man-in-the-middle attacks.”

All affected domain owners have been informed, as have relevant Government authorities.

The Iran link

Comodo linked Iran to the attacks, as founder Melih Abdulhayoglu suggested they were “state driven/funded.”

“The IP address of the initial attack was recorded and has been determined to be assigned to an ISP in Iran,” explained Dr Phillip Hallam-Baker, Comodo vice president and principal scientist, in a blog post.

“A web survey revealed one of the certificates deployed on another IP address assigned to an Iranian ISP. The server in question stopped responding to requests shortly after the certificate was revoked.”

However, the attackers may simply have tried to “lay a false trail,” Hallam-Baker said.

“It does not escape notice that the domains targeted would be of greatest use to a Government attempting surveillance of internet use by dissident groups,” he added.

“The attack comes at a time when many countries in North Africa and the Gulf region are facing popular protests and many commentators have identified the internet and in particular social networking sites as a major organising tool for the protests.”

As for businesses, they should ensure they have up-to-date certificate revocation data and appropriate browser settings, said Fraser Howard, principle threat researcher at Sophos.

“From a more long term perspective, let’s hope this incident makes industry players audit, not only their own security systems and policies, but those of their trusted partners as well to protect browsers in the future,” Howard added.

Email to a friend

Print this page