An attack apparently coming from Jinan – the capital of China’s Shandong province – against personal Gmail accounts belonging to hundreds of users has been spotted and disrupted by Google.
According to the post published yesterday on the official Google blog, among the targeted individuals are a number of “senior U.S. government officials, Chinese political activists, officials in several Asian countries (predominantly South Korea), military personnel and journalists.”
Details revealed by Google and by Mila Parkour of the Contagio blog – who, by the way, spotted the attack back in February – point to a rather simple phishing attack.
“Victims get a message from an address of a close associate or a collaborating organization/agency, which is spoofed,” she explains. The message is crafted to appear like it has an attachment with links like View Download and a name of the supposed attachment. The link leads to a fake Gmail login page for harvesting credentials.”
The ultimate goal of the attack is to spy on the owner by forwarding all incoming mail to the attackers email address, but the compromised email account also serves as a staging point for sending out the booby-trapped emails to the victim’s contacts in order to compromise their email accounts.
Google says it has notified the victims of the attack and relevant government authorities, and that it has secured the affected accounts.
To prevent similar incidents, the company advises users to enable 2-step verification, use strong passwords, avoid entering it anywhere except the proper sign-in page, check their Gmail settings for suspicious forwarding addresses or delegated accounts, and keep an eye out for warnings about suspicious account activity.
“It’s important to stress that our internal systems have not been affected—these account hijackings were not the result of a security problem with Gmail itself,” it points out. “But we believe that being open about these security issues helps users better protect their information online.”