Targeted Phishing Attacks Carried Out On Gmail – Likely From China

Use Netsparker


It was just about a week ago when we wrote about the technical flaw in Hotmail and the fact that the Hotmail Exploit Has Been Silently Stealing E-mail for some time.

The latest news is some hackers have been targeting users of the Gmail service, specifically US government officials. This comes shortly after the news of Lockheed Martin being compromised and a second military contractor being attacked using RSA SecurID tokens today.

It is what’s known as a ‘spear phishing’ attack – which means it’s aimed at a specific organization or in this case specific individuals. It’s not a shotgun approach – where they spray e-mails everywhere, more like a sniper rifle.

Google has detected a targeted campaign to collect hundreds of personal Gmail passwords, many of them belonging to senior US government officials, Chinese political activists, military personnel, and journalists.

The accounts may have been compromised using spear phishing techniques in which victims received highly personalized messages that contained links to counterfeit Gmail pages, according to a blog post published in February that Google cited when disclosing the attacks on Wednesday. Google said the campaign “appears to originate from Jinan, China” but didn’t share any evidence supporting that claim.

“The goal of this effort seems to have been to monitor the contents of these users’ emails, with the perpetrators apparently using stolen passwords to change people’s forwarding and delegation settings,” Google’s blog post, titled “Ensuring your information is safe online,” stated. “Google detected and has disrupted this campaign to take users’ passwords and monitor their emails. Company officials have alerted the victims and “relevant government authorities.”

According to the February blog post, some of the phishing pages were hosted using the free dyndns.org service and contained images and text that were almost indistinguishable from those hosted on the real Google service. The links were “customized and individualized for each target,” independent security researcher Mila Parkour wrote

They are using the same old trick of getting the passwords then changing the forwarding settings so they can receive all the e-mails sent to that account somewhere else.

The attacks are said to originate from China, but as I’m sure you all know – just because the IP is in China it doesn’t mean the attacker is physically there too.

It’s a pretty systematic attack and extremely hard to defend against, because once they’ve compromised a few accounts of people that know each other – they can then make the personalized phishing mails even more relevant and convincing.


Once accounts were compromised attackers created rules to automatically forward all received email to accounts under their control, Parkour said. The attackers then used the purloined email to “gather information about the closets associates and family/friends” and exploited “the harvested information for making future mailings more plausible.”

Parkour’s post showed a half-dozen emails exchanged in the campaign, several of which contained Pentagon and US State Department addresses.

“This is the latest version of the State’s joint statement,” one fraudulent email read. “My understanding is that State put in placeholder econ language and am happy to have us fill in but in their rush to get a cleared version from the WH, they sent the attached to Mike.”

The email contained what appeared to be a Microsoft Word document as an attachment.

The incident harkens back to a separate attack Google disclosed in January 2010, that targeted the company’s source code and the Gmail accounts of human rights activists in China. Unlike the most recent phishing campaign, the “highly sophisticated and targeted attack” from 2010 exploited vulnerabilities on Google’s network to gain unauthorized access. Dozens of other companies were also targeted in the earlier attack.

Google’s blog post provides a variety of tips for keeping accounts secure. They include use of a two-step verification procedure when logging in to accounts to add an extra layer of security to the login process. Gmail also warns users of suspicious logins to their accounts.

Google does have a variety of security measure, they allow you see account activity details, IP addresses logged into your account and they do warn you of any suspicious activity. Recently they also started supporting two-factor authentication using tokens, this would totally defeat these kind of phishing attacks.

They support both SMS based authentication and application based (for iPhone, Android and BlackBerry).

So if you’re using a Google account, make sure it’s secure!

Source: The Register

Posted in: Phishing

, , , , , , , ,


Latest Posts:


CloudFrunt - Identify Misconfigured CloudFront Domains CloudFrunt – Identify Misconfigured CloudFront Domains
CloudFrunt is a Python-based tool for identifying misconfigured CloudFront domains, it uses DNS and looks for CNAMEs which may be allowed to be associated with CloudFront distributions.
Airbash - Fully Automated WPA PSK Handshake Capture Script Airbash – Fully Automated WPA PSK Handshake Capture Script
Airbash is a POSIX-compliant, fully automated WPA PSK handshake capture script aimed at penetration testing, it is compatible with Bash and Android Shell.
XXEinjector - Automatic XXE Injection Tool For Exploitation XXEinjector – Automatic XXE Injection Tool For Exploitation
XXEinjector is an XXE Injection Tool that automates retrieving files using direct and out of band methods. Directory listing only works in Java applications.
Yahoo! Fined 35 Million USD For Late Disclosure Of Hack Yahoo! Fined 35 Million USD For Late Disclosure Of Hack
Ah Yahoo! in trouble again, this time the news is Yahoo! fined for 35 million USD by the SEC for the 2 year delayed disclosure of the massive hack, we actually reported on the incident in 2016 when it became public.
Drupwn - Drupal Enumeration Tool & Security Scanner Drupwn – Drupal Enumeration Tool & Security Scanner
Drupwn is a Python-based Drupal Enumeration Tool that also includes an exploit mode, which can check for and exploit relevant CVEs.
MyEtherWallet DNS Hack Causes 17 Million USD User Loss MyEtherWallet DNS Hack Causes 17 Million USD User Loss
Big news in the crypto scene this week was that the MyEtherWallet DNS Hack that occured managed to collect about $17 Million USD worth of Ethereum in just a few hours.


2 Responses to Targeted Phishing Attacks Carried Out On Gmail – Likely From China

  1. Fred June 5, 2011 at 7:20 am #

    Cannot recommend the gmail 2 factor authentication enough.
    It has not inconvenienced me at all, although I use the smart phone app

    http://www.google.com/support/accounts/bin/static.py?page=guide.cs&guide=1056283&topic=1056284&hl=en

    Fred

  2. Emeks June 13, 2011 at 5:27 pm #

    gmail 2 factor authentication is more than enough. Users needs to be extremely careful in order to identify phishing sites