Close to 300,000 unique IP addresses from Iran requested access to google.com using a rogue certificate issued by Dutch digital certificate authority DigiNotar, according to an interim report by security firm, Fox-IT, released on Monday.
The rogue certificate, issued on July 10 by DigiNotar, was finally revoked on Aug. 29.
[ Also on InfoWorld: Google says Gmail attack focused on Iranian targets. | Prevent corporate data leaks with Roger Grimes's "Data Loss Prevention Deep Dive" PDF expert guide, only from InfoWorld. ]
"Around 300.000 unique requesting IPs to google.com have been identified," Fox-IT said in the report. On Aug. 4, the number of requests rose quickly until the certificate was revoked on Aug. 29. Of these IP addresses, more than 99 percent originated from Iran.
The list of IP addresses will be handed over to Google who can inform users that their email might have been intercepted during this period, Fox-IT said.
Not only the email itself but also a login cookie could have been intercepted, it added. Using this cookie the hacker is able to log in directly to the Gmail mailbox of the user and other services from Google.
"The login cookie stays valid for a longer period," Fox-IT said. It would be wise for all users in Iran to at least logout and login, but even better change passwords, it added.
A sample of the IP addresses outside of Iran during the period were mainly Tor-exit nodes, proxies and other VPN servers, and almost no direct subscribers, according to the report which analyzed OCSP (Online Certificate Status Protocol) request logs.
Current browsers perform an OCSP check as soon as the browser connects to an SSL website protected through the HTTPS protocol.
Tor is a distributed anonymous network used by people to prevent being tracked by websites or to connect to instant messaging services and other services when these are blocked by their local Internet service providers.
A total of 531 digital certificates were issued for domains that included google.com, the CIA, and Israel's Mossad.
The list of domains and the fact that 99 percent of the users are in Iran suggest that the objective of the hackers was to intercept private communications in Iran, Fox-IT said.
Google said on Aug. 29 that it received reports of "attempted SSL man-in-the-middle (MITM) attacks" against Google users, whereby someone tried to get between them and encrypted Google services. The people affected were primarily located in Iran.
The attacker used a fraudulent SSL certificate issued by DigiNotar which has since revoked it, Google said in a blog post.
Trend Micro, another security firm, said on Monday that domain validation.diginotar.nl was mostly loaded by Dutch and Iranian Internet users until Aug. 30. Domain name validation.diginotar.nl is used by Internet browsers to check the authenticity of SSL certificates that are issued by DigiNotar.
DigiNotar is a small Dutch certification authority with customers mainly in the Netherlands. "We, therefore, expect this domain name to be mostly requested by Dutch Internet users and perhaps a handful of users from other countries but certainly not by a lot of Iranians," Trend Micro's senior threat researcher, Feike Hacquebord, said in a blog post.