Corporate Identity Theft Used to Obtain Code Signing Certificate

Last week, the lab identified a curious set of spammed malware; files signed with a valid Authenticode code signing certificate.This is something we've seen before. But this case seemed odd because the contact information appeared very genuine. Usually a valid but malicious certificate uses clearly bogus or dubious details.I searched for a company that matched the name and address in the certificate and found small consulting firm that provides services related to industrial process control and optimization.I contacted the company and asked them whether they were aware that their code signing certificate had been stolen. The case became more interesting to me when they responded that they do not have any code signing certificates. In fact, they don't produce software — so they don't have anything to sign. Clearly someone else had obtained the certificate in their name; they had been victim of identity theft.I investigated the case with the help of the victim and Comodo, the Certification Authority that had signed the fraudulent certificate. I discovered that the certificate had been requested in name of an actual employee and that Comodo had used both phone call verification as well as e-mail. The fraudster had access to the employee's e-mail and the phone call (continue reading...)