The Brazilian offices of certificate authority (CA) Comodo accidentally sold a code-signing certificate to a banking trojan distributor, which applied for it using a similar name to a local anti-fraud software vendor.
To pull off the feat, the malware distributors registered the domain gastecnology.org, which was a slight variation on an established Brazilian security vendor Gastecnologia.
The phone number, area code and physical address in the domain registry were all fake, according to Kaspersky Lab researcher Fabio Assolini, but the domain registration itself appeared to be enough to convince Comodo to sell it a three year certificate enabling it to sign its own malware.
Valid and stolen certificates are useful to malware distributors since the certificates should indicate that a Certificate Authority has verified the file’s authenticity, Assolini points out.
From there, the cybercriminals went on to sign their banking trojan ahead of a mass spam campaign that urged online banking customers to install an update. One of the trojans was presented as a HP Digital Assistant for a printer.
According to Assolini, Comodo sold the certificates on 28 May this year but yanked them 15 days later after a local security company alerted it to the fraud.