Hackers spied on 300,000 Iranians using fake Google certificate
Investigation reveals month-long, massive Gmail snooping campaign
Computerworld - About 300,000 Iranians had their Gmail accounts compromised and their messages read by hackers, according to a forensics firm that has investigated the theft of hundreds of digital certificates from a Dutch company.
Although the report did not identify the hacker, or hackers, who may have spied on the Iranian users, security researchers have pointed to Iran's government, which has been linked to other attempts to intercept the communications of activists and protesters.
The report was issued Monday by Fox-IT, a digital investigative company retained by the Dutch government after DigiNotar's servers were hacked and more than 500 Secure Socket Layer (SSL) certificates were fabricated by intruders. Among the certificates were several that could be used to impersonate any Google site or service, including Gmail.
SSL certificates are used by websites and browsers to identify a site as legitimate and can be abused to disguise unauthorized domains using "man in the middle" attacks.
Fox-IT said that approximately 300,000 IP addresses, each representing at least one computer and so at least one user, had accessed sites displaying a fake certificate for google.com between July 27 and Aug. 29. Nearly all -- Fox-IT said 99% -- of those IP addresses originated in Iran.
Investigators assumed that the google.com certificate was used primarily to spy on Iranians' Gmail accounts.
"Using this [Gmail authentication] cookie, the hacker is able to log in directly to the Gmail mailbox of the victim and also read the stored emails," said Fox-IT. The hackers could also use the same credentials to log onto other Google services, including Google Docs and Google Latitude -- in the latter case, to identify the exact location of the victim -- and hijack Facebook and Twitter accounts.
The report confirms what Google said last week, when it acknowledged that Gmail users had been attacked and said "the people affected were primarily located in Iran."
Fox-IT posted a simulation of the traffic that went through the fake google.com domain on YouTube to illustrate Iran's dominance.
While Fox-IT did not accuse the Iranian government of conducting or sponsoring the attack, it made clear the motivation behind what it called "Operation Black Tulip."
"The list of domains and the fact that 99% of the users are in Iran suggest that the objective of the hackers is to intercept private information in Iran," the company said in its report.
Some security researchers have suspected that Iran's government was behind the certificate theft and subsequent attack since news broke a week ago. The Fox-IT report only reinforced their beliefs.
"This is the most solid evidence yet that these certificates may have been used by the Iranian government or ISPs to spy on private communications of Iranian Internet users," said Chet Wisniewski, a security researcher at U.K.-based Sophos, in a blog post Monday.
In a letter to the Dutch parliament made public Monday, the ministers of the Interior and Security and Justice said the government was investigating DigiNotar for possible negligence.
Fox-IT's reports painted a bleak picture, saying that DigiNotar was unaware for weeks that hackers controlled its servers, that the server software was outdated and unpatched, and that it was not protected by antivirus software, which would have sounded the alert when the intruders planted malware on the machines.
And the attacks against DigiNotar continue, the report said.
"Current analyses still show hacking attempts on the Web server originating from Iran," Fox-IT said.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.
Read more about Cybercrime and Hacking in Computerworld's Cybercrime and Hacking Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts