02 June 2011 | 6,818 views

Targeted Phishing Attacks Carried Out On Gmail – Likely From China

Check Your Web Security with Acunetix

It was just about a week ago when we wrote about the technical flaw in Hotmail and the fact that the Hotmail Exploit Has Been Silently Stealing E-mail for some time.

The latest news is some hackers have been targeting users of the Gmail service, specifically US government officials. This comes shortly after the news of Lockheed Martin being compromised and a second military contractor being attacked using RSA SecurID tokens today.

It is what’s known as a ‘spear phishing’ attack – which means it’s aimed at a specific organization or in this case specific individuals. It’s not a shotgun approach – where they spray e-mails everywhere, more like a sniper rifle.

Google has detected a targeted campaign to collect hundreds of personal Gmail passwords, many of them belonging to senior US government officials, Chinese political activists, military personnel, and journalists.

The accounts may have been compromised using spear phishing techniques in which victims received highly personalized messages that contained links to counterfeit Gmail pages, according to a blog post published in February that Google cited when disclosing the attacks on Wednesday. Google said the campaign “appears to originate from Jinan, China” but didn’t share any evidence supporting that claim.

“The goal of this effort seems to have been to monitor the contents of these users’ emails, with the perpetrators apparently using stolen passwords to change people’s forwarding and delegation settings,” Google’s blog post, titled “Ensuring your information is safe online,” stated. “Google detected and has disrupted this campaign to take users’ passwords and monitor their emails. Company officials have alerted the victims and “relevant government authorities.”

According to the February blog post, some of the phishing pages were hosted using the free dyndns.org service and contained images and text that were almost indistinguishable from those hosted on the real Google service. The links were “customized and individualized for each target,” independent security researcher Mila Parkour wrote

They are using the same old trick of getting the passwords then changing the forwarding settings so they can receive all the e-mails sent to that account somewhere else.

The attacks are said to originate from China, but as I’m sure you all know – just because the IP is in China it doesn’t mean the attacker is physically there too.

It’s a pretty systematic attack and extremely hard to defend against, because once they’ve compromised a few accounts of people that know each other – they can then make the personalized phishing mails even more relevant and convincing.

Once accounts were compromised attackers created rules to automatically forward all received email to accounts under their control, Parkour said. The attackers then used the purloined email to “gather information about the closets associates and family/friends” and exploited “the harvested information for making future mailings more plausible.”

Parkour’s post showed a half-dozen emails exchanged in the campaign, several of which contained Pentagon and US State Department addresses.

“This is the latest version of the State’s joint statement,” one fraudulent email read. “My understanding is that State put in placeholder econ language and am happy to have us fill in but in their rush to get a cleared version from the WH, they sent the attached to Mike.”

The email contained what appeared to be a Microsoft Word document as an attachment.

The incident harkens back to a separate attack Google disclosed in January 2010, that targeted the company’s source code and the Gmail accounts of human rights activists in China. Unlike the most recent phishing campaign, the “highly sophisticated and targeted attack” from 2010 exploited vulnerabilities on Google’s network to gain unauthorized access. Dozens of other companies were also targeted in the earlier attack.

Google’s blog post provides a variety of tips for keeping accounts secure. They include use of a two-step verification procedure when logging in to accounts to add an extra layer of security to the login process. Gmail also warns users of suspicious logins to their accounts.

Google does have a variety of security measure, they allow you see account activity details, IP addresses logged into your account and they do warn you of any suspicious activity. Recently they also started supporting two-factor authentication using tokens, this would totally defeat these kind of phishing attacks.

They support both SMS based authentication and application based (for iPhone, Android and BlackBerry).

So if you’re using a Google account, make sure it’s secure!

Source: The Register



Recent in Phishing:
- spt v0.6.0 – Simple Phishing Toolkit Available For Download
- Russian Cyber-Crime Market Doubled In 2011
- Targeted Phishing Attacks Carried Out On Gmail – Likely From China

Related Posts:
- More Cyberterrorism – Taiwan Political Party Accuses China of Hacking
- Hackers Break Into White House Military Network
- IMF (International Monetary Fund) Suffer Major Breach In Sophisticated Cyberattack

Most Read in Phishing:
- Twitter DM Phishing Scam - 28,874 views
- yahoo password grabber - 19,014 views
- Digital Underground Offering Cheap Botnets For Hire - 14,852 views

Low-cost VPS Hosting

2 Responses to “Targeted Phishing Attacks Carried Out On Gmail – Likely From China”

  1. Fred 5 June 2011 at 7:20 am Permalink

    Cannot recommend the gmail 2 factor authentication enough.
    It has not inconvenienced me at all, although I use the smart phone app

    http://www.google.com/support/accounts/bin/static.py?page=guide.cs&guide=1056283&topic=1056284&hl=en

    Fred

  2. Emeks 13 June 2011 at 5:27 pm Permalink

    gmail 2 factor authentication is more than enough. Users needs to be extremely careful in order to identify phishing sites