[lambda]

Not sure if that's the case. Most people he was impersonating himself to probably don't know enough to find and check PGP signatures; especially since most email does not come with PGP signatures, the lack of a signature is not something that would cause anyone to bat an eyelash.

[cookiecaper]

If he prominently announced on his sites "DO NOT accept anything without a cryptographic signature as authentic", it is likely to have worked. It's not like the targeted victims had not visited Cyanogen's site or done any research before.

And at worst, a policy of signing all emails makes it so he can't be framed; someone can't alter mails and claim they were sent in that state, and if this guy thought he was going to be caught and went into the mail server to try and plant the evidence so that when the deals fell through the real Cyanogen was still on the hook, he wouldn't be able to reproduce a valid signature and one would say "Cyanogen was obviously framed, as he would never certify a deal in an email without a cryptographic signature".

[jrockway]

How would have they distributed the keys? I can easily upload a key with an arbitrary id and username to any public keyserver. You have to actually check that you trust the key by utilizing the web of trust.

Alternatively, you could use SSL certificates, but since the attacker controlled cyanogenmod.com, he probably could have social-engineered the CA to issue him an email certificate.

Trust is hard.