Security → I just got owned: fraudulent SSL Cert (Comodo)

I'm confused... Was the first Discover page you went to the correct, legit one? Which would have made this a version of a man-in-the-middle situation? Or did you go to the wrong website? Or am I not understanding at all???

Sorry to hear that, Mele. The sad part is, the bad guys seem to be getting quicker than we are.

Hope that gets fixed muy pronto for you.

I'm not understanding either. Did you go to the wrong website to begin with???

The address bar says "www.discovercard.com".
The certificate says "track.roiservice.com".

One possibility is that the certificate alert was from an advertisement displayed on the page, and you were not actually pwned at all.

For the record:
»en.wikipedia.org/wiki/Owned

Owned is a slang word,that originated among 1990s hackers, where it referred to "rooting" or gaining administrative control over someone else's computer.

The term's original usage was close to that of the traditional meaning of the word "own" - for instance, "I owned the network at MIT" indicated that the speaker had cracked the servers and had the same root-level privileges that the legitimate owner of the servers had.
"Owned", a later variant, became more common in the late 1990s, as did the more abstract usage referring to any compromised security mechanism.
By 1997, "owned" was regularly used in website defacements,and it subsequently spread to gaming circles, where it was used to refer to defeat in a game.
For example, if someone makes a particularly good kill shot or wins a fight in a multiplayer video game, they might yell out "owned" to the loser(s), as a manifestation of victory, a taunt, or provocation.

Owned has now spread beyond computer and gaming contexts and become part of standard slang, where it typically entails severe defeat or humiliation, usually in an amusing way or through the dominance of an opposing party.
Other variations of the word owned include own3d, 0wn3d and pooned,terms which incorporate elements of leetspeak. Example... "CMoney pWn3d deeznuts!"

At some point, the variant term "pwned" appeared in the same subculture; this alteration originated from typos that occurred when hasty gamers tried typing too fast on the keyboard, thus missing the "o" and typing "p" instead. Pwn has become a term in its own right but is sometimes still verbally pronounced [on] in recognition of its origin.

I don't really understand it myself. That is one reason I posted....hoped someone would have more knowledge than I about what happened.

I typed in »www.discovercard.com/car ··· /ac_main
and I got the popup about the untrusted cert "track.roiservice.com" and BEHIND the popup was the discovercard.com login page. I immediately figured it was a Comodo cert and I was getting that because I had disabled all the Comodo Root certs. I looked at it, it looked ok...the name was weird but I figured it had something to do with how Discover.com tracks logins. So, I allowed it for that session which cleared the popup and the login page was there behind the popup. The popup and login page with the lock in the address bar and status bar (ssl cert from Verisign) appeared simultaneously on my screen and that is strange too.

It seems to me to maybe be a man in the middle thing that, because I allowed the cert, was somehow tracking what I typed in on the discovercard.com site as I logged in. I didn't look until later at the information when right clicking on the llock on the discover.com site. It's certificate is from Versign not Network Solutions which is issued by Addtrust which is owned by Comodo.

I can reproduce this over and over on Firefox 1.5 on XP. On my virtual Vista machine with Fx 3, I don't get a popup about the certificate for "trac.roiservice.com" when I go to the discover account center login page. If I type in Fx 3 url bar the address "https://www.track.roiservice.com" then I get that untrusted cert popup on Fx 3 on Vista.

It is quite strange. I just tried the same address on IE 6 on XP and I get the normal login page for Discover account center and no popup about an untrusted cert from track.roiservice.com. Same with latest Opera.

I'm beginning to think this is some wacko something exclusive to Firefox. On Fx 3, on Vista, I just made a temporary exception for this cert and I then get a 404 error for »www.track.roiservice.com. On Fx3, I did not get that popup about the untrusted cert when I went to the discover account center login page but I get the popup if I type the roiservice.com address in Fx 3 address bar.

I just edited the AddTrust Root (owned by Comodo) certs in Firefox 1.5 and enabled all of them to identify websites. I then went to the discover account center login page and I did not get that untrusted cert popup.

Removed. Question answered.

Added: I get no popup about cert in question and had previously disabled all the Comodo Root Certs.

Used Fx v3.0 series, 3.1pre, or the tk.
Have not tried Fx v2 series)

Edit*

When I go to the page the certificate is a VeriSign certificate. If I look at the page source, the code includes a link to the SSL site track.roiservice.com which is for tracking.

Here's a few lines from that web page:

IN ROI TRACKING Code-->
<script language="javascript" src="https://track.roiservice.com/track/track.aspx?ROIID=938905107000023"></script>
<script language="javascript">
<!--
 if (typeof(ROIID) + '' != 'undefined') {
  TrackEvent('LandingPage', 0);
 }
//-->
</script>
<!--END ROI TRACKING Code-->
 

Personally, I use "noscript". If I were using that page, I would have allows scripts from discovercard.com but not from roiservice.com. However, I suspect that the javascript would still be loaded, just prevented from running.

In any case, I don't think you were pwned.

i went to the "www.discovercard.com" website.. when i checked the certificate, it was issued by "verisign trust network"..

Hmm. On checking that roiservice script, I see that the certificate was issued by network solutions, not by comodo. That's with firefox 3. I'm not sure why Mele20 saw a comodo certificate, but perhaps there are several discovercard sites in a load balancing arrangement, and they have slighly different pages.

If you look at the image in the first post, it includes Network solutions and Addtrust in the Hierarchy. I don't know enough about Certs to completely understand the Hierarchy but maybe that will help you explain it .

Same thing in Fx v3.1b3.

I did a bit of Googling on ROIService.com and there is very little information about them. They do however need to beef up their pre-employment screening of programmers, as they don't seem to exactly be hiring the cream of the crop if this post at WebDeveloper.com is anything to go by:

Convert this PHP to Javascript (Google Cache)

In addition, if you do a WHOIS query on roiservice.com, the owner comes up as Microsoft:

Registrant:
Microsoft Corporation
Domain Administrator
One Microsoft Way
Redmond, WA 98052
US
domains@microsoft.com
+1.4258828080 Fax: +1.4259367329

Domain Name: ROISERVICE.COM
Registrar of Record: Corporate Domains, Inc.

I would say it's very unlikely that you got owned. Instead, what probably happened is that Firefox 1.5 didn't recognize that particular Network Solutions root certificate for one reason or another, and that is what caused the warning message to appear. Newer versions of Firefox probably do recognize it, which is why you're not getting the warning on newer versions.

EDIT: I think I know what happened here. If you look at the certificate chain in the screenshot, at the root is "AddTrust External CA Root". This is one of the Comodo resellers which recently was exposed as not verifying the web site owners identity before issuing certificates to sites. You probably disabled this Comodo reseller in your Firefox certificate options so that it was no longer trusted, which is why you got the warning message. In your virtual machine you had probably not done the same, which is why you didn't get the warning there.

ROIService.com seems to be just a run-of-the-mill tracking service used by Discover to gather statistics on their visitors. Of course, with so little information available on the company it's hard to tell exactly what they do, but it's a safe bet that had it been a malicious certificate-hacking man-in-the-middle-exploiting site, there would be news all over the web of this. Not a very likely scenario as my previous link dates the company back to at least 2005.

Being owned by one's own paranoia is a fairly good sign you've been spending too much time reading the security forum. There is a healthy balance, believe it or not.

Been there, done that, got the T-shirt.

At the end of the day if you even suspect that your info got hijacked then cancelling the card and ordering a replacement was the right thing to do.

From the post-mortem above it looks like your info was not actually intercepted and it's just a harmless tracking site, but there is no downside to being prudent and cancelling your card (other than having to wait on the replacement).

nm

Hi Magnus, it is nice to see you here! It's been awhile.

I had all the Comodo certs and its resellers (AddTrust AB, Network Solutions and UserTrust Network) all disabled on Fx3. So, seems to me I should have gotten the untrusted cert warning on Fx3 also but I did not. That, plus the Discover website security guy telling me that Discover has no cert from track.roiservice.com connected to its login page for Account Services, made me suspicious that there was a man in the middle attack on Fx 1.5.

I did not do a WHOIS which I should have done. I did Google roiservice.com last night and found very little about them like you. Last night, I was able to type in »www.roiservice.com on Fx3 and I would get the cert warning (although I never got the warning when the address was for Discover Account Services). I could do the same thing -type in the address bar the roiservice.com - on 1.5 and get the warning. However, today both browsers say they can't find the site when the roiservice.com address is typed in the address bar. In fact, last night just before I went to sleep, I also got the 404 error when typing the roiservice.com in the address bar on either browser, but just a few minutes earlier I was getting the untrusted cert warning on both browsers when I typed that address in. That seems suspicious to me too.

As for the Discover website tech, maybe he is poorly trained. I asked him directly if roiservice.com was Discover's way of tracking users logging in and he said no. He said there was no certificate from Network Solutions that had anything to do with the Discover Account Services logon page. Since the WHOIS shows Microsoft as the owner this must be something benign...but then why do I now get a 404 error when trying to reach the roiservice.com site using ssl and also without ssl? Why don't I still get the untrusted cert popup when using ssl and why can't I get (using non SSL) to the site like I could last night?

My conclusion, at this point, is that Fx 3 does not encounter roiservice.com at all when going to Discover Account Services page. Fx 1.5 still encounters roiservice.com when going to the same Discover page. On both browsers all Comodo related certs are disabled. Perhaps, there is something about Fx3 cert handling that greatly differs from 1.5 (and is better handling) that would explain why I get the untrusted cert popup on 1.5, but not on 3 and I have the same certs disabled on both. 1.5 does not have a direct Cert for Network Solutions. It is handled under AddTrust but in Fx3, there is now a separate cert just for Network Solutions and maybe that difference between the two browsers explains somehow why I get the warning in 1.5 but not in 3. I don't think I buy this though as the full explanation.

I agree. Being prudent is the best thing. Yeah, I'll have to wait for a new card and then I have yp reregister again at the Discover site but I'd rather be overly cautious than not cautious enough when it has to do with internet banking. If the Discover website guy had simply said roiservices.com is what we use to track our users I would not have cancelled the card.

I went to: »www.discovercard.com/car ··· /ac_main

and got no popup and the cert was signed and issued by versign for discovercard - but this was using IE7

Just to verify for you using an alternate browser.

HTH

-amy-

It does. It connects to roiservice and ends the connection with a fatal error Unknown CA. (I also have unchecked the Comodo CAs)

Just call the 800# on the sticker to activate, and leave your computer out of it.

Only a genuine typist could turn "to" into "yp"

The way it works, the Discover page references a track.roiservice.com script. It is up to the roiservice.com site to provide the certificate. So the Discover website would not be expected to have that certificate.But it does, as I showed in an earlier post in this thread.

Several posters have said that they did not see the certificate for track.roiservice.com. I just went to the DiscoverCard site, and I did not see it either. The reason I did not see it was that track.roiservice.com is blocked by my hosts file. I suspect that a hosts file entry or some other security measure that blocks that site is also why others did not see the track.roiservice.com certificate.

It's in MVPS's host file, but is listed as a McAfee tracking cookie. Nonetheless, it did it's job on the DiscoverCard site as well.