Remember the phishing attack against government officials and political activists that was disrupted by Google in June? Well, it’s far from over.
The goal remains the same – the attackers are still after Gmail login credentials of personal email accounts belonging to military and government employees and associates. The approach is also similar to the previous one, as the potential victims are again targeted with specially crafted emails.
This time, though, the attackers do not offer an attachment that leads to a phishing page mimicking Google’s login page, but have made the email look like a form for activating a subscription to a number of publications by The Center for a New American Security (CNAS), a Washington-based think tank (click on the screenshot to enlarge it):
Mila Parkour – the researcher who has spotted both the previous and this attack – says that recipients are likely to fall for the ruse and enter the credentials, since many services use Google login for authentication.
Also, the spoofed sender address seems to indicate that the sender is a close associate of the target, and the links inside the emails are customized to make it seem that the email is sent to that particular person – all things that would make the recipient believe in the authenticity of the email.
Once the victims has entered the required credentials, they are automatically sent to a server located in Houston, Texas, and the user is redirected back to his Gmail inbox.
Parkour has tested the scheme by setting up a bogus Gmail account, filling it with various emails on military and human rights topics and then entered the login credentials into the phishing activation form.
A little more than an hour later, the account was accessed by the attackers. They did not set up forwarding rules in order to receive the emails that come into the account’s inbox, but they have been visiting the account at least twice a day to check what’s come in.
Although it is impossible to tell from which precise IP address the attackers were visiting the account because they are using TOR, she points out that the attackers have used Foxmail to create and send the email, and that the IP address from which the email is sent is located in Taiwan – all things that seemingly point to Chinese attackers.
Even though she has notified Google about the attacks, Parkour says that they can do precious little to stop them. Once again, she urges users to change their passwords frequently and to enable the two-factor authentication feature that Google made available to its users.