Iran has tricked a web firm into issuing fake security certificates for Gmail, Skype, Hotmail and more.
Comodo Group, a US-based certificate authority firm with 15% of the market, admitted that one of its affiliate's accounts in Southern Europe had been hacked, letting the attackers create fake SSL security certificates for six websites.
Such digital keys let websites offer secure services, and fake versions could be used to spoof sites, gather login details and watch user activity.
The fake certificates target Microsoft's Live platform, Gmail and Google, Skype, Yahoo, and Mozilla Firefox extensions. The attack was quickly discovered, with the attacker still using the account when it was shut down.
Comodo's CEO Melih Abdulhayogl said the attack appeared to originate in Iran, as it would have required access to the country's DNS infrastructure. "We believe these are politically motivated, state-driven/funded attacks," he said in a blog post, adding it was the first such state attack he'd seen against the authentication layer of the web.
Phillip Hallam-Baker, principal scientist for Comodo, said the timing of the attack was no coincidence.
"It does not escape notice that the domains targeted would be of greatest use to a government attempting surveillance of internet use by dissident groups," he said in a blog post.
"The attack comes at a time when many countries in North Africa and the Gulf region are facing popular protests and many commentators have identified the internet and in particular social-networking sites as a major organising tool for the protests," he added.