On September 11, 2018, a cybersecurity firm reported that it uncovered malicious code injected into the British Airways website, indicating that the hackers in the recent British Airways supply chain phishing attack made use of an increasingly common tactic of using large websites to embed pieces of code from third-party suppliers.

The report found that an SSL certificate issued by Comodo CA to baways.com, a domain involved in the attack, used a Comodo CA Domain Validation (DV) certificate. Comodo CA has now revoked the DV certificate issued to baways.com.

Comodo CA had issued the DV certificate in mid-August, 2018, after following all industry standards and Baseline Requirements from the CA/Browser Forum.

While Certificate Authorities (CAs) can and must authenticate certificate requesters according to their validation level (EV, OV, or DV), they are not able to discern the intention of the certificate requester in advance of real-world use.

Phishing takes a broad variety of forms, many of which are made less effective with the presence of Extended Validation (EV) certificates. Domain Validated (DV) certificates are issued once the requester can prove that they own the domain requesting the certificate. EV certificates are issued following additional organization vetting and require a business to be operational with the requesting name, posing another step for the certificate applicant. When viewing a web page using an EV certificate, site visitors see a green address bar, in addition to the lock symbol, indicating an additional level of validation.

UPDATED: September 19,2018

On September 19, 2018, a cybersecurity firm reported that it uncovered malicious code injected into the Newegg website, indicating that the hackers in the recent British Airways supply chain phishing attack had again made use of an increasingly common tactic of using large websites to embed pieces of code from third-party suppliers.

The report found that an SSL certificate issued by Comodo CA to “neweggstats.com,” a domain involved in the attack, used a Comodo CA Domain Validation (DV) certificate. Comodo CA had issued the DV certificate on August 13, 2018, after following all industry standards and Baseline Requirements from the CA/Browser Forum. Comodo CA has revoked the DV certificate.

# # #