Impersonation <> properly signed (by the CA) certificate. How are they getting around this? How are they signing the cert such that client is accepting it without a security warning? Surely that is the most interesting bit here?
Anyone can issue a cert for any site, getting that cert trusted by the client is the hard bit.