The Gmail Phish: Why Publicize, and Why Now?
This Google Gmail phishing case has gotten quite a bit of attention, so I thought I’d throw in my two cents’ worth. (These are notes I collated for a segment I did for Al Jazeera earlier today. I didn’t do a particularly good job of getting these points across, and some of the stuff came in after it was done. )
Google says the attack appears to originate from Jinan, but doesn’t offer evidence to support that. I think it would be good if they did. Jinan is the capital of Shandong Province, but it’s also a military region and one of at least six where the PLA has one of its technical reconnaissance bureaus. These are responsible for, among other things, exploitation of foreign networks, which might include this kind of thing. The city is also where the Lanxiang Vocational School is based, which was linked to the December 2009 attacks on Google’s back end systems. That also targeted human rights activists. Lanxiang has denied any involvement the 2009 attacks.
I’d be very surprised if this kind of thing wasn’t going on all the time. And I’m very surprised that senior government officials from the U.S., Korea and elsewhere are supposedly using something like Gmail. There are more secure ways to communicate out there. I think it’s worth pointing out that this particular attack was first identified by Mila Parkour, a researcher, back in February. Screenshots on her blog suggest that at least three U.S. government entities were targeted.
I asked her what she thought of the release of the news now, four months later. Does this mean, I asked, that it took Google a while to figure it out?
As for any other vendor, investigations take time especially if they do not wish to alert the actors and make sure they shut down all the suspicious accounts.
And why, I asked, are they making it public now?
I think it is great they took time to unravel and find more victims and try to trace it. Looks like they exhausted all the leads and found out as much as they could to address it before going public . It has been three months and considering that hundreds of victims [are] involved, it is not too long.
This is not the first time that Google and other email accounts have been hacked in this way, and it’s probably not the last. It’s part of a much bigger battle going on. Well, two: one pits China–who are almost certainly behind it, or at least the ultimate beneficiaries of any data stolen, against regional and other rivals–and the other is Google making these things public. For Google it’s a chance to point out the kind of pressures it and other companies are under in China. Google in January 2010 said it and other companies had been under attack using tricks that exploited vulnerabilities in Google’s network to gain unauthorized access.
Google says it went public because it wants to keep its users safe. This from Myriam Boublil, Head of Communications & Public Affairs at Google Southeast Asia:
“We think users should be aware of the disturbing campaign we’ve uncovered to collect user passwords and monitor user email. Our focus now is on protecting our users and making sure everyone knows how to stay safe online”
This attack is not particularly sophisticated, but it involves what is called spear phishing, which does involve quite extensive social engineering techniques and reveals the object of the attacker’s interest is not random, but very, very specific. If you judge a perpetrator of a crime by their victim, you don’t have to be a rocket scientist to figure out who is the ultimate recipient of any intelligence gathered.