"The IP address of the initial attack ... has been determined to be assigned to an ISP in Iran," said Comodo. "A Web survey revealed one of the certificates [was] deployed on another IP address assigned to an Iranian ISP."

That server went offline shortly after Comodo revoked the certificates.

Fake certificates can be used by attackers to fool users into thinking that they're at a legitimate site when in reality they're not, said Andrew Storms, director of security operations at nCircle Security.

"They would be used in a 'man-in-the-middle' kind of attack," said Storms. "They could use [the bogus certificates] to host a site that looks like one of these real sites, then capture people's log-ins."

Comodo echoed Storms' take on the attack's implication, but speculated that it was a government-backed effort.