Hackers spied on 300,000 Iranians using fake Google certificate

Computerworld - About 300,000 Iranians had their Gmail accounts compromised and their messages read by hackers, according to a forensics firm that has investigated the theft of hundreds of digital certificates from a Dutch company.

Although the report did not identify the hacker, or hackers, who may have spied on the Iranian users, security researchers have pointed to Iran's government, which has been linked to other attempts to intercept the communications of activists and protesters.

The report was issued Monday by Fox-IT, a digital investigative company retained by the Dutch government after DigiNotar's servers were hacked and more than 500 Secure Socket Layer (SSL) certificates were fabricated by intruders. Among the certificates were several that could be used to impersonate any Google site or service, including Gmail.

SSL certificates are used by websites and browsers to identify a site as legitimate and can be abused to disguise unauthorized domains using "man in the middle" attacks.

Fox-IT said that approximately 300,000 IP addresses, each representing at least one computer and so at least one user, had accessed sites displaying a fake certificate for google.com between July 27 and Aug. 29. Nearly all -- Fox-IT said 99% -- of those IP addresses originated in Iran.

Investigators assumed that the google.com certificate was used primarily to spy on Iranians' Gmail accounts.

"Using this [Gmail authentication] cookie, the hacker is able to log in directly to the Gmail mailbox of the victim and also read the stored emails," said Fox-IT. The hackers could also use the same credentials to log onto other Google services, including Google Docs and Google Latitude -- in the latter case, to identify the exact location of the victim -- and hijack Facebook and Twitter accounts.

The report confirms what Google said last week, when it acknowledged that Gmail users had been attacked and said "the people affected were primarily located in Iran."

Fox-IT posted a simulation of the traffic that went through the fake google.com domain on YouTube to illustrate Iran's dominance.

While Fox-IT did not accuse the Iranian government of conducting or sponsoring the attack, it made clear the motivation behind what it called "Operation Black Tulip."

"The list of domains and the fact that 99% of the users are in Iran suggest that the objective of the hackers is to intercept private information in Iran," the company said in its report.

Some security researchers have suspected that Iran's government was behind the certificate theft and subsequent attack since news broke a week ago. The Fox-IT report only reinforced their beliefs.

"This is the most solid evidence yet that these certificates may have been used by the Iranian government or ISPs to spy on private communications of Iranian Internet users," said Chet Wisniewski, a security researcher at U.K.-based Sophos, in a blog post Monday.

In a letter to the Dutch parliament made public Monday, the ministers of the Interior and Security and Justice said the government was investigating DigiNotar for possible negligence.

Fox-IT's reports painted a bleak picture, saying that DigiNotar was unaware for weeks that hackers controlled its servers, that the server software was outdated and unpatched, and that it was not protected by antivirus software, which would have sounded the alert when the intruders planted malware on the machines.

And the attacks against DigiNotar continue, the report said.

"Current analyses still show hacking attempts on the Web server originating from Iran," Fox-IT said.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@computerworld.com.

Read more about Cybercrime and Hacking in Computerworld's Cybercrime and Hacking Topic Center.