Gmail hackers ‘had access for months’
Shanghai, June 2, 2011
Hackers who broke into Google's Gmail system had access to some accounts for many months and could have been planning a more serious attack, said the cyber-security expert who first publicly revealed the incident.
Google said suspected Chinese hackers tried to steal the passwords of hundreds of Gmail account holders, including those of senior US government officials, Chinese activists and journalists.
"They were not sophisticated or new, but they were invasive," said Mila Parkour, who reported the cyberattack on her malware blog in February.
"Emailing phishing messages using details from read personal messages is invasive. Plus, they maintained full email access to mailboxes for a long time," the Washington-based Parkour told Reuters. She uses a pseudonym to protect her identify.
"I covered one; they (Google) took it and uncovered many more of the same kind," she said, noting the method of attack was invasive and targeted.
Parkour was initially involved in investigating one such phishing incident, referring to the practice where computer users are tricked into giving up sensitive information, and then started to gather data on other similar incidents, she said.
Google declined to comment on the details of Parkour's report, but a source with knowledge of the matter said there were similarities between the attack she analysed and the rest of the campaign. The source declined to be identified owing to the sensitivity of the issue.
The Internet company, which was also the victim of a sophisticated hacking episode last year, gave no details about the most recent attack other than to say it had uncovered a campaign to collect user passwords, the goal of which was to monitor users' emails.
The company said its Gmail infrastructure had not been compromised.
Parkour's analysis in February showed that the hackers emailed victims from a fake email address, which purported to be that of a close associate in order to gain their trust. The email contained a link or an attachment.
When the victims clicked on the link or document, they were prompted to enter their Gmail credentials on a fake Gmail login page created to collect usernames and passwords, after which the hackers had full access to their accounts.
In the case that Parkour studied, the victim was unknowingly in contact with the hackers between May 2010 and February 2011 according to email screenshots she posted. He received emails once or twice a month that allowed them to maintain updated access to his inbox.
"The victims were carefully selected and had access to sensitive information and had certain expertise in their area," Parkour said, adding that the victim in the case she studied thought he was replying to someone he knew.
The man had emails sent to him that purported to be from branches of the US government, Parkour said.
One of the emails reads: "My understanding is that the State put in placeholder econ language and am happy to have us fill in but in their rush to get a cleared version from the WH, they sent the attached to Mike."
Parkour said the Gmail attacks could be a staging ground for a more serious attack using malicious software, or malware. Many of the Gmail accounts were personal email accounts of personnel with access to sensitive information, some of whom could have forwarded their work emails to their personal Gmail accounts.
"Gathered information could help in the next attack, which could be a malware attack , after which the attackers could gain access to corporate and government networks when the victims log in from a compromised PC," she said.
Parkour said evidence of that was found in an antivirus script used by the hackers to reveal what type of software the victim had installed on his computer.
"The only reason you want to know what (version of Microsoft) Office you have and what antivirus you have is to be able to infect it in the future," said Parkour. – Reuters