Bank trojan distributors duped Comodo into selling digital certificate

Then signed supposed HP printer software to dupe users
  • Liam Tung (CSO Online (Australia))
  • — 04 September, 2012 13:26

The Brazilian offices of certificate authority (CA) Comodo accidentally sold a code-signing certificate to a banking trojan distributor, which applied for it using a similar name to a local anti-fraud software vendor.

To pull off the feat, the malware distributors registered the domain gastecnology.org, which was a slight variation on an established Brazilian security vendor Gastecnologia.

The phone number, area code and physical address in the domain registry were all fake, according to Kaspersky Lab researcher Fabio Assolini, but the domain registration itself appeared to be enough to convince Comodo to sell it a three year certificate enabling it to sign its own malware.

Valid and stolen certificates are useful to malware distributors since the certificates should indicate that a Certificate Authority has verified the file’s authenticity, Assolini points out.

From there, the cybercriminals went on to sign their banking trojan ahead of a mass spam campaign that urged online banking customers to install an update. One of the trojans was presented as a HP Digital Assistant for a printer.

According to Assolini, Comodo sold the certificates on 28 May this year but yanked them 15 days later after a local security company alerted it to the fraud.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Fraud Management Solutions

Reduce fraud losses regardless of channel by preventing cybercrime, identity theft, and other threats targeting your customers.

more »

Submit your own security event

Submit your training courses

Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.

Read More
more »