Certificate does not equal legimitate - never has
>>The domain also had a digital certificate from Comodo to make it look nice and legit
We have brain washed users for years to look for the visual indicators to confirm a site's legitimacy. This has always been the wrong assertion for what is actually happening. All a certificate is doing is ensuring the data between the user's browser and the web-server is encrypted not that it is legitimate.
The debate around EV certificates looks like is heading for the same conclusion for the same reasons. The psychology of positive indicators vs the psychology of negative indicators is well worth a read.
Biting the hand that feeds IT
