Although Comodo did not name the compromised RA in its incident report, all of the fraudulently issued certificates refer to GTI Group Corporation in the organisational unit field. GlobalTrust is a division of this group, and has been issuing SSL certificates as a Comodo partner since 2006.
Over the weekend, an individual purporting to have carried out the attack revealed on Pastebin.com that Comodo was hacked via InstantSSL.it. According to meta tags, this site was owned by GlobalTrust, but now bears a Comodo logo with a “site under construction” placeholder. Many other websites run by GlobalTrust have also been shut down and replaced with GlobalTrust-branded “under construction” pages, presumably while forensic investigations continue.
Existing GlobalTrust customers may be affected by the temporary suspension of these sites; for instance, trust seals can no longer be served from https://trustseal.globaltrust.it because the site is no longer accepting any HTTPS connections.
Netcraft’s Web Server Survey highlights several other websites which currently display the GlobalTrust “under construction” page, including www.banksafe.it, www.comodogroup.it, www.cybercrimeworkingroup.org and, ironically, www.riskmitigation.it. GlobalTrust’s founder, Massimo Penco, has also had his personal website replaced with the same GlobalTrust “site under construction” page.
During a phone call with Netcraft last Thursday, Mr Penco denied that GlobalTrust was the unnamed RA cited in the original Comodo incident report.