The Gmail Phish: Why Publicize, and Why Now?

This Google Gmail phishing case has gotten quite a bit of attention, so I thought I’d throw in my two cents’ worth. (These are notes I collated for a segment I did for Al Jazeera earlier today. I didn’t do a particularly good job of getting these points across, and some of the stuff came in after it was done. )

Google says the attack appears to originate from Jinan, but doesn’t offer evidence to support that. I think it would be good if they did. Jinan is the capital of Shandong Province, but it’s also a military region and one of at least six where the PLA has one of its technical reconnaissance bureaus. These are responsible for, among other things, exploitation of foreign networks, which might include this kind of thing. The city is also where the Lanxiang Vocational School is based, which was linked to the December 2009 attacks on Google’s back end systems. That also targeted human rights activists. Lanxiang has denied any involvement the 2009 attacks.

I’d be very surprised if this kind of thing wasn’t going on all the time. And I’m very surprised that senior government officials from the U.S., Korea and elsewhere are supposedly using something like Gmail. There are more secure ways to communicate out there. I think it’s worth pointing out that this particular attack was first identified by Mila Parkour, a researcher, back in February. Screenshots on her blog suggest that at least three U.S. government entities were targeted.

I asked her what she thought of the release of the news now, four months later. Does this mean, I asked, that it took Google a while to figure it out?

As for any other vendor, investigations take time especially if they do not wish to alert the actors and make sure they shut down all the suspicious accounts.

And why, I asked, are they making it public now?

I think it is great they took time to unravel and find more victims and try to trace it. Looks like they exhausted all the leads and found out as much as they could to address it before going public . It has been three months and considering that hundreds of victims [are] involved, it is not too long.

This is not the first time that Google and other email accounts have been hacked in this way, and it’s probably not the last. It’s part of a much bigger battle going on. Well, two: one pits China–who are almost certainly behind it, or at least the ultimate beneficiaries of any data stolen, against regional and other rivals–and the other is Google making these things public. For Google it’s a chance to point out the kind of pressures it and other companies are under in China. Google in January 2010 said it and other companies had been under attack using tricks that exploited vulnerabilities in Google’s network to gain unauthorized access.

Google says it went public because it wants to keep its users safe. This from Myriam Boublil, Head of Communications & Public Affairs at Google Southeast Asia:

“We think users should be aware of the disturbing campaign we’ve uncovered to collect user passwords and monitor user email.  Our focus now is on protecting our users and making sure everyone knows how to stay safe online”

This  attack is not particularly sophisticated, but it involves what is called spear phishing, which does involve quite extensive social engineering techniques and reveals the object of the attacker’s interest is not random, but very, very specific. If you judge a perpetrator of a crime by their victim, you don’t have to be a rocket scientist to figure out who is the ultimate recipient of any intelligence gathered.

Driver Phishing

Maybe because it’s early in the morning, but I fell for this little scam pretty easily. I’m going to call it “driver phishing” because it has all the hallmarks of a phishing attack, although it’s probably legal.

I’m looking for the latest drivers for my Logitech webcam, so I type in Logitech QuickCam driver in Google.

An ad above the results looks promising: a website called LogitechDriversCenter.com:

image

So I click on it.

It takes me to a site with a Logitech logo, lots of shareware and PC Magazine stars, Logitech product photos and three options for getting the right driver:

image

DriverRobot, the first one, sounds promising. Maybe, I think, Logitech have consolidated all their driver downloads into one program. Good idea, given I’ve got quite a few of their products hanging around the computer. So I download and install it.

Looks OK so far. A window appears prompting you to start scanning your computer. Lots of green arrows and ticks to reassure you:

image

Once the scan is done you’re told how many drivers you need, with another green arrowed button indicating what you should do to get them (“Get drivers”):

image

(I should have been forewarned at this point. Plenty of warnings, but one key one: None of the drivers it suggested were Logitech ones. Certainly nothing to help me with my webcam.)

Click on that and you’re told you’ve got to “Register” which is “quick and easy”.

Notice there’s no other option, unless you can see the little Close Window X in the top right corner of the window:

image

Try to click on the other radio button (“Allow 11 drivers to remain out of date (not recommended). Critical updates for your computer will not be installed. Your computer may be vulnerable to crashes, performance problems, freezes and “blue screens.””) and then click Continue and the window disappears, but nothing else. It’s like those supermarkets where you can’t get out unless you buy something.

Click on the Continue button and your browser fires up with page requesting your Name and Email to register:

image

Notice all the seals, locks, starts and 100% guaranteed things going on. Reassuring, eh? Except there’s no link on the page, nothing for the casual user (or a slow-witted guy who got up too early) to click on to get more information.

So the slow-witted guy enters his name and email address, thinking that’s going to get him registered. Of course not. Instead he’s asked to shell out cash–$30—for the software:

image

Once again, no links to explain who is behind this, or what other options there may be.

As far as the casual user knows, this is either a Logitech product or one approved by them.

But it’s not. The software comes from a company called Blitware. The Complaints Board website has several complaints about the company and software:

The Driver Robot software does not work and the company tricks consumers in to believing that it is freeware. Am trying to get a refund of my purchase price now.

And worse: For some of those who do buy the software and follow its driver updates, it only makes things worse:

My computer completely crashed after using driver robot when it installed a generic mouse driver every time I touched my mouse I had a blue screen crash with a driver check sum error … It has also installed an elan touch tablet driver which is now in the toolbar. I dont have this device on my machine. This software is completely useless and will be going for a refund.

Others found they had no way of getting support:

Useless garbage–no contact info given. I attempted use and could see it doing nothing. What now, am I really out $39.90?

So who is Blitware? Its website says

Blitware (or Blitware Technology Inc., to be precise) is a small Canadian software vendor from Victoria, BC, Canada. Blitware’s mission is to take great software products to market and bend over backwards for our partners who help promote them.

(Notice how the company doesn’t say it’s a developer, and stresses the marketing, rather than the consumer, in its literature. That should probably tell you all you need to know, if you hadn’t gotten up too early.)

There is an encouraging link on the home page inviting you to click for Support (“Need support for a Blitware product? Our expert technical support staff is standing by to help you”) –

 image

– but far from take you to that helpful support staff, the link takes you to a Frequently Asked Questions page, and only at the bottom to a link for contacting technical support.

That in turn takes you to a link demanding you register at Blitware first, and then, when that is done, to a page for you to file your question.

Do that and you’re told:

We will reply to this message soon! You will receive an email when we do.

OK, so, what’s wrong with all this, and why call it phishing?

Well, phishing is the art of using social engineering tricks to lull a victim into thinking s/he is interacting with a legitimate site/product and to get him/her into coughing up passwords or cash.

Usually with banks, or emails, or accounts etc.

To me this Driver Robot is no different.

From the Google search—where a website with the word Logitech in it—everything is designed to make you think you’re dealing, if not with Logitech, then at least with a company/product that Logitech has endorsed.

The website’s title—the bit that appears in the browser’s top-most bar indicates it’s a Logitech site:

image

Even the website’s favicon—the little log before the web address—is Logitech’s:

image

To me this is no different to a scammer putting “Citibank” or “Paypal” somewhere in a web address to fool the user into thinking they’re dealing with someone kosher.

Anything the tricks the user, either into thinking they’re dealing with the real thing, or thinking they have no other option, is, in my view, a scam.

That the software doesn’t seem to work—it found no Logitech drivers or updates, and seems to crash computers—only makes matters worse.

I’m going to find out what Logitech make of their logos and name being used for dodgy purposes.

(more on Driver Phishing here.)

links for 2008-09-15

Whaling in Singapore?

Singapore appears to be the source of a virus cleverly designed to hoodwink U.S. executives by appearing to be an emailed subpoena which mentions them by name, as well as their title.

The SANS Storm Center said three days ago that

We’ve gotten a few reports that some CEOs have received what purports to be a federal subpoena via e-mail ordering their testimony in a case. It then asks them to click a link and download the case history and associated information.

One problem, it’s total bogus. It’s a “click-the-link-for-malware” typical spammer stunt. So, first and foremost, don’t click on such links. An interesting component of this scam was that it did properly identify the CEO and send it to his e-mail directly. It’s very highly targeted that way.

The report says that the server that the trojan reports back to is “hard-coded to an ISP in Singapore at this time,” from where, according to Ars Technica, it “steals copies of any security certificates installed on the system.”

(This, by the way, is calling whaling, since it is like phishing but is more targeted, and going for bigger phish, so to speak.)

The Inquirer says that the web servers delivering the emails are based in China, and, in language too loose to take seriously, “the cyber ruffians who later nefariously take control of the victims’ computers, based in Singapore.”

There’s no evidence the “cyber ruffians” are based in Singapore, as far as I can work out. The only possible connection could be the English and errors in the emails, which, John Markoff of the NYT reports, “led several researchers to believe that the attackers were not familiar with the United States court system and that the group might be based in a place that used a British variant of English, such as Hong Kong.”

That said, just because an ISP may have been compromised doesn’t mean that those involved are physically located in Singapore. Indeed, it would seem very unlikely they are; if they’re smart enough to launch an attack like this, you’d have to bet against them being anywhere near the ‘command and control’ center itself.

Still, it’s unsettling that an ISP may have been compromised. So far we don’t know much more, though I’ve put in requests for more information. (The source of the information about Singapore appears to have come from someone at Verisign, whose Asian PR address bounces. So don’t expect something anytime soon.)

Phishing For a Scapegoat

It’s somewhat scary that more than 10 employees of a laboratory that works on security issues (including phishing) could fall for a phishing attack. The Oak Ridge National Laboratory, or ORNL, managed for the U.S. Department of Energy by UT-Battelle, works on science and technology involved in energy production and national security. In late October the lab was targeted from Chinese websites, according to eWeek:

All of the phishing e-mails instructed lab employees to open an attachment for more information or to click on an embedded link. ORNL’s investigators now believe that about 11 staff fell for the come-ons and opened the attachments or clicked on the links. That was enough for the attackers to install keyloggers or other types of malware that gave attackers access to systems and the ability to extract data.

The interesting thing here is whether this was a “coordinated attack” and a “cyberattack” as has been suggested in the media. The Knoxville News Sentinel, for example, quotes lab director Thom Mason as saying, involved the thieves making “approximately 1,100 attempts to steal data with a very sophisticated strategy that involved sending staff a total of seven phishing e-mails, all of which at first glance appeared legitimate.” Meanwhile this AP article quotes Mason’s memo to employees:

The assault appeared “to be part of a coordinated attempt to gain access to computer networks at numerous laboratories and other institutions” in the United States, lab director Thom Mason said in a memo to the 4,200 employees at the Department of Energy facility.

The key here may be that the attackers were after personal information, not military secrets. As John C. Sharp writes:

The headlines keep coming about the news that several high-profile military labs – including some of the world’s leading nuclear research labs – have been compromised by phishing scams. Unfortunately, many of these headlines are missing the point.

Example: In one story published today, PC World claims that Chinese Hackers “launched” a coordinated “major attack” on two US Military Laboratories.

This is almost certainly *not* what happened. According to most of the published data, this was a phishing attack, plain and simple.

The fact is that China’s computers are so insecure that more or less anyone could use them to do more or less anything, from relaying spam to launching phishing attacks. So it’s not proof that China, or even Chinese, were involved just because the IP addresses are Chinese.

Of course, we don’t know for sure what happened yet. But if the attack was enabled by employees clicking on an email attachment or link that originated from a Chinese server, you’ve got to question a) the security training at a place like that, and b) wonder what kind of security filters they have on their servers that would allow such emails to get through, especially given the sheer number of emails that were sent.

Sometimes “China” is a great excuse for all sorts of incompetence and inefficiency, and “sophisticated cyber attack” is just another way of saying “sorry, we haven’t got a clue about all this Internets stuff.”

Oak Ridge Speared in Phishing Attack Against National Labs

Press 4 To Give Us All Your Money

I guess it had to happen: phishers are not only trying to snag you by setting up fake banking websites, now they’re trying to snag you by setting up fake switchboards too.

Tim McElligott writes in Telephony Online that scammers “posing as a financial institution and using a VoIP phone number e-mailed people asking them to dial the number and enter the personal information needed to gain access to their finances.” Simply put, the phishers in this case aren’t directing you to a fake website where you enter your password and other data sufficient for them to empty your account; they’re directing you to an automated phone service, where you’d give the same details.

The information comes from Cloudmark (“the proven leader in messaging security solutions for service providers, enterprises and consumers”), which claims in a press release that it has seen two separate such attacks this week:

In these attacks, the target receives an email, ostensibly from their bank, telling them there is an issue with their account and to dial a number to resolve the problem. Callers are then connected over VoIP to a PBX (private branch exchange) running an IVR [an automated voice menu] system that sounds exactly like their own bank’s phone tree, directing them to specific extensions. In a VoIP phishing attack, the phone system identifies itself to the target as the financial institution and prompts them to enter account number and PIN.

As Telephony Online points out, setting up this kind of phone network is easy. “Acquiring a VoIP phone number is about as hard as acquiring an IP address or a domain name,” it quotes Adam O’Donnell, senior research scientist at Cloudmark, as saying. “Phishers figured out how to quickly and fraudulently get that information a long time ago.” An old PC with a voice modem card and with a little PBX software and you’ve got a company’s phone tree which can sound exactly like your bank, O’Donnell says.

This all makes sense. Indeed, we should have seen it coming. It’ll be interesting to see how banks cope with this. Right now their argument has been that if in doubt, a customer should phone them. That no longer is as watertight an option. They could argue that customers should not respond to any email they receive, but that’s also not always true. Banks and other financial institutions need to communicate with customers.

One solution to this is the signature: Postbank last month launched a service where all its emails to customers come with an electronic signature. The only problem with this is that most email clients don’t support the service — only Microsoft Outlook. This is a bit like giving customers a lock that only works on certain kinds of door.

Perhaps banks are just going to have to pick up the phone. If customers are now under threat from automated phone trees maybe the solution is not more technology, but less? A cost the phishers are unlikely to be able to bear would be an actual voice on the other end of the line that sounded familiar and authentic. The only question then would be for the customer to establish the authenticity of the banking assistant.