Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

China denies role in Gmail account attacks

Gregg Keizer, Computerworld | June 2, 2011
A Chinese official denied accusations that the government was responsible for attacks that accessed hundreds of Google Gmail accounts.

Parkour did not report her findings directly to Google -- "It was not a zero day, just some old way to dupe," she said -- but simply posted her findings on her Contagio Malware Dump blog.

Among the emails Parkour uncovered were ones that spoofed sending addresses from the U.S. Department of State and the Office of the Secretary of Defense, hinting that the targets worked in the same agencies.

Parkour was most concerned with the attack's aggressiveness and its attempt to hijack Gmail accounts, which then gave the hackers the ability to either read the messages directly in the inbox or secretly forward selected messages to a secondary account.

"It is an old-school approach, but it worked and worked well," she said.

Sam Masiello, chief security officer at Return Path, a New York City-based email certification company, agreed that the Gmail phishing campaign was nothing new.

"It was no different than any other phishing campaign other than the type of people who were being victimized," said Masiello, who pointed out that, contrary to some headlines yesterday, Google or Gmail were not hacked.

"There was no vulnerability in Gmail," Masiello said. "But these types of folks have access to a lot of privileged information."

Masiello also noted that once the hackers had a victim's Gmail account password, they could try to hijack his or her official government or military account using that same password. "Some people do have a habit of using the same password for multiple sites and accounts, so there could be a potential tie there, as well," said Masiello.

Google said it had notified victims and secured their accounts. The company also spelled out steps all Gmail users can take to better protect themselves against phishing attacks.

"There is no such thing as too many reminders and too much user education," said Parkour. "It helps especially when [people] see how easy it is to fall for simple tricks."

Google declined to comment about the attacks or the timetable of its investigation, and instead pointed to the Wednesday blog post by Eric Grosse, the director engineering on Google's security team.

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.