The Comodo Group Inc., has come forward to say it was tricked into issuing bogus digital certificates for some of the largest websites on the Internet, including Google (NASDAQ: GOOG), Yahoo and Microsoft (NASDAQ: MSFT). The attack was traced to an Internet Service Provider in Iran, says the company. Digital certificates are used to validate the legitimacy of a website, and represent the final and strongest defense against spoofing or redirection attacks. As reported by Computerworld, the attackers used a valid username and password of an affiliate to issue the SSL certificates. 

Microsoft has released a security advisory listing the affected web properties of the nine bogus certificates: login.live.com, mail.google.com, www.google.com, login.yahoo.com (three certificates), login.skype.com, addons.mozilla.org and Global Trustee. Microsoft has since issued a security patch to specifically warn against the fraudulent certificates. 

It is not known if any users were taken in by spoofed sites validated using the issued digital certificates prior to the revocation--web browsers with Online Certificate Status Protocol (OCSP) enabled will automatically validate the certificates and block them. On its part, Comodo insisted that it reacted "within hours" to revoke the bogus certificates.

For more on this story:
- check out this article at Wall Street Journal
- check out this article at Computerworld

Related Articles:
Source Code for password system stolen in Google Hack 
Limited attacks against security vulnerability found in IE6 through IE8 spotted
BlackBerry browser bug makes users vulnerable to phishing attacks 
Microsoft releases temporary workaround for Windows Shell flaw