Hackers spied on 300,000 Iranians using fake Google certificate
Investigation reveals month-long, massive Gmail snooping campaign
Computerworld - About 300,000 Iranians had their Gmail accounts compromised and their messages read by hackers, according to a forensics firm that has investigated the theft of hundreds of digital certificates from a Dutch company.
Although the report did not identify the hacker, or hackers, who may have spied on the Iranian users, security researchers have pointed to Iran's government, which has been linked to other attempts to intercept the communications of activists and protesters.
The report was issued Monday by Fox-IT, a digital investigative company retained by the Dutch government after DigiNotar's servers were hacked and more than 500 Secure Socket Layer (SSL) certificates were fabricated by intruders. Among the certificates were several that could be used to impersonate any Google site or service, including Gmail.
SSL certificates are used by websites and browsers to identify a site as legitimate and can be abused to disguise unauthorized domains using "man in the middle" attacks.
Fox-IT said that approximately 300,000 IP addresses, each representing at least one computer and so at least one user, had accessed sites displaying a fake certificate for google.com between July 27 and Aug. 29. Nearly all -- Fox-IT said 99% -- of those IP addresses originated in Iran.
Investigators assumed that the google.com certificate was used primarily to spy on Iranians' Gmail accounts.
"Using this [Gmail authentication] cookie, the hacker is able to log in directly to the Gmail mailbox of the victim and also read the stored emails," said Fox-IT. The hackers could also use the same credentials to log onto other Google services, including Google Docs and Google Latitude -- in the latter case, to identify the exact location of the victim -- and hijack Facebook and Twitter accounts.
The report confirms what Google said last week, when it acknowledged that Gmail users had been attacked and said "the people affected were primarily located in Iran."
Fox-IT posted a simulation of the traffic that went through the fake google.com domain on YouTube to illustrate Iran's dominance.
While Fox-IT did not accuse the Iranian government of conducting or sponsoring the attack, it made clear the motivation behind what it called "Operation Black Tulip."
"The list of domains and the fact that 99% of the users are in Iran suggest that the objective of the hackers is to intercept private information in Iran," the company said in its report.
Some security researchers have suspected that Iran's government was behind the certificate theft and subsequent attack since news broke a week ago. The Fox-IT report only reinforced their beliefs.
"This is the most solid evidence yet that these certificates may have been used by the Iranian government or ISPs to spy on private communications of Iranian Internet users," said Chet Wisniewski, a security researcher at U.K.-based Sophos, in a blog post Monday.
In a letter to the Dutch parliament made public Monday, the ministers of the Interior and Security and Justice said the government was investigating DigiNotar for possible negligence.
Fox-IT's reports painted a bleak picture, saying that DigiNotar was unaware for weeks that hackers controlled its servers, that the server software was outdated and unpatched, and that it was not protected by antivirus software, which would have sounded the alert when the intruders planted malware on the machines.
And the attacks against DigiNotar continue, the report said.
"Current analyses still show hacking attempts on the Web server originating from Iran," Fox-IT said.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.
Read more about Cybercrime and Hacking in Computerworld's Cybercrime and Hacking Topic Center.
- Warning: Cloud Data at Risk Experts agree that relying on SaaS vendors to backup and restore your data is dangerous. Yet that's exactly what huge portions of the...
- The Opportunities and Challenges of the Cloud In this report F5 poses questions to IDC analysts, Sally Hudson and Phil Hochmuth, on behalf of F5's customers to better understand the...
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- The Truth About Cloud Security "Security" is the number one issue holding business leaders back from the cloud. But does the reality match the perception?
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!