Google has admitted that some of its users have received phishing messages that stole passwords.
According to Eric Grosse, engineering director at the Google Security Team, the campaign targeted personal Gmail accounts of senior US government officials, Chinese political activists, officials in several Asian countries (predominantly South Korea), military personnel and journalists.
Grosse stressed that its internal systems had not been affected and the campaign appeared to have originated from Jinan, China.
He said: “The goal of this effort seems to have been to monitor the contents of these users' emails, with the perpetrators apparently using stolen passwords to change peoples' forwarding and delegation settings.
“Google detected and has disrupted this campaign to take users' passwords and monitor their emails. We have notified victims and secured their accounts. In addition, we have notified relevant government authorities.
“Please spend ten minutes today taking steps to improve your online security so that you can experience all that the internet offers, while also protecting your data.”
The attack was initially detected in February, Mila Parkour from the Contagio blog said that the ‘spear phishing method used in this attack is far from being new or sophisticated' but said that the attack was ‘particularly invasive'.
Mila said that when credentials are harvested from the fake Gmail login page, the attacker logs into the victims Gmail account and forward all incoming mail to another account, send mail to contacts or simply read mail and gather information about the closest associates and family/friends, especially about frequent correspondents.
Chris Russell, VP of engineering at Swivel Secure, told SC Magazine that he felt that this was an advancement in phishing as it moved on from ‘please login here' alerts. “With this it is slightly more enabled, I think individuals may find sensitive information, there has been issues highlighted with the leaking of information and this will allow an easy target to be attacked,” he said.
Last September Gmail introduced a two-factor authentication process for login via a one time password which was delivered by SMS. I asked Russell if that had been used, could this have been prevented?
He said: “From what I know there has been a low take up of this and I have heard about problems with the latency of messages with the time they take to arrive as well as usability issues. It can be an opt in solution but the way people think this would not happen to me means that there are two issues here: a perception of risk; and that any security solution must be easy to use.”
Jason Hart, CEO of Cryptocard, said: “The type of hack that has been undertaken on Gmail is one of the oldest tricks in the book and shows exactly why a reliance on static passwords is both dangerous and damaging.
“It is sad that it takes US government officials being hacked to make this issue news, as this type of phishing exercise takes place in offices and homes throughout the world on a daily basis.
“Using a simple password has always been a risk and the advent of cloud services has amplified this. Everyone with a stake in IT security should see the Gmail attack as a harbinger of things to come and should act now to bring in stronger authentication.”
Chester Wisniewski, senior security advisor at Sophos Canada said that the phishing messages appear to be handcrafted and spoofed to seem to be from governmental colleagues of many of the victims. However while Gmail attachments usually appear with a paper clip and links to view or download the item, these emails use HTML with fake attachment links that actually lead to a phishing page designed to look identical to the Gmail login page.
Wisniewski, said: “While this attack is not specifically a problem with Gmail, it is a widespread security weakness in many cloud services. Google sharing information with the public about how these attacks are executed helps all of us learn from these situations and build better systems.
“Google gives some good advice in their post, although it seems strange that they feel the need to push Google Chrome as a solution to all security problems.”