Spear Phishing Attacks from China Against Gmail Accounts

Reporters have been calling me pretty much constantly about this story, but I can’t figure out why in the world this is news. Attacks from China—old news; attacks from China against Google—old news; attacks from China against Google Gmail accounts—old news. Spear phishing attacks from China against senior government officials—old news. There’s even a WikiLeaks cable about this stuff.

When I first read the story, I decided it wasn’t worth blogging about. Why is this news?

Tags: China, e-mail, phishing, WikiLeaks

Posted on June 2, 2011 at 9:48 AM • 41 Comments

Comments

Clive Robinson • June 2, 2011 10:03 AM

@ Bruce,

“When I first read the story, I decided it wasn’t worth blogging about. Why is this news?”

The attack it’s self is not news nor is it worth bloging about.

However what is news and is worth bloging about is the “who” and they “why” of those who are trying very hard to make it news and “what” they are getting out of it.

jeff • June 2, 2011 10:03 AM

The media gets into cycles where a topic becomes “hot” and anything related to it gets reported breathlessly. It seems computer security is the current topic.

Just my 2 cents.

Oliver Holloway • June 2, 2011 10:08 AM

I wish I could upvote Clive’s answer.

Clive Robinson • June 2, 2011 10:14 AM

@ Bruce,

There is another bit of information tucked away in there that I suspect most people will have missed.

It has been sugested that terrorists and criminals might communicate via the likes of GMail accounts, not by sending EMails but by leaving drafts in the account and then the other person logs into the account and edits the draft etc.

Now if GMail are monitoring IP addressess to put up their Big Red Banner at the top of the inbox this system will also log up shared accounts simply by the nature of the long term traffic.

After all very very few people are going to log in from London one day New York the next and then London again the following day. A whole lot less are going to be doing this logging in from two different locations on a regular basis.

Also I suspect that GMail in their own defence will flag up account access from known TOR nodes.

Scott C. • June 2, 2011 10:17 AM

Wouldn’t it be great if stories like this provided the opportunity for increased government regulation and control to save us from the horror of CyberWar and CyberTerrorism?

S • June 2, 2011 10:21 AM

@ Clive: ‘However what is news and is worth bloging about is the “who” and they “why” of those who are trying very hard to make it news and “what” they are getting out of it.’

As ever, ‘Cui bono?’

The military-industrial complex have certainly been putting out lots of PR/FUD relating to cyber war, and it’s ramping up.

This will be the next big conflict; they get the big profits without the negative press of so many western corpses.

It will also be the reason behind the next big attack on our civil liberties. The internet as we’ve known it would not appear to have very long left, if certain corporations have their way. And the nebulous, non-specific threat is a good way of getting the populace on your side. See ‘terrrzm’ for details. And ‘Reds under the bed’, if you want to go back further.

S • June 2, 2011 10:23 AM

Ha, Scott. Your reply wasn’t there when I started typing mine, but we’re definitely seeing this the same way…

BF Skinner • June 2, 2011 10:31 AM

“Why is this news?”

And I can’t figure why a failed Alaskan Governor driving a bus from one undisclosed location after another is news but there you go.

Maybe it’s not about news. Maybe it’s about olds.

China still a threat right? right? right? Yeah. right?

Granny Pants • June 2, 2011 10:32 AM

Just more fodder following the RSA, Lockheed Martin and PBS hacks. At least it keeps security in the forefront of people’s minds – we just need to keep things rational…

Clive Robinson • June 2, 2011 10:37 AM

@ Scott, S,

You might want to have a schlurp across to,

http://www.ewi.info/global-cooperation-global-cyber-threats

Basicaly the East West Institute is holding it’s second Cybersecurity Conference in London. The story originated from the first day there yesterday.

Apparently there are 450 senior deligates from various organisations and governments.

@ Bruce,

I know one BT bod is there as a speaker, are you attending or are you (sensibly 😉 keeping well out of the way?

BF Skinner • June 2, 2011 10:39 AM

@Granny Pants ‘keeps security in the forefront of people’s minds – we just need to keep things rational…”

Have you WATCHED our video news reportage in the U.S.?

atanas entchev • June 2, 2011 10:50 AM

This is “news” because Google makes it so. Why? Because they are trying very hard to push their 2-step verification system. Scare tactic.

Seth R • June 2, 2011 11:33 AM

Isn’t the recent revelation of successful compromise of hundreds of important accounts news? Even if the techniques aren’t new?

JustSayin • June 2, 2011 11:37 AM

“Baidu is close to signing a strategic agreement on search- engine operations with Microsoft, Donews.com reported on May 13, citing people it didn’t identify”

http://www.bloomberg.com/news/2011-05-26/baidu-says-it-may-build-on-search-engine-pact-with-microsoft.html

NobodySpecial • June 2, 2011 11:39 AM

@BF Skinner
Of course in the UK we don’t have Faux news – we have a tradition of responsible print journalism.

Are foreign packets coming into our wires and how will they affect house prices (Daily Mail)

An email was sent somewhere in France moments before Diana’s death (Daily Express)

I always said this wireless steam telegraphy was a bad idea (Daily Telegraph)

Internet porn a threat to children says lovely Samantha 16 (The Sun)

Jay • June 2, 2011 11:52 AM

The media likes a theme. The recent cyber-security events (which were newsworthy) have created a theme. Once a theme is established, the media continue to look for new events that fit the theme.

When looking for new events that fit the theme, the media become less skeptical about what is newsworthy, and start reporting on mundane events that match the theme.

Chelloveck • June 2, 2011 1:34 PM

It’s not new, but now it has a new evocative and vaguely scary name. “Spear Phishing” — combining the edginess of the cyber-PH with the unease caused by someone waving a pointy stick. Come on, Bruce, you’ve gotta print stories like that before the novelty of the name wears off! You can’t just sit around and wait for something new to actually happen.

*&^%$#@! • June 2, 2011 2:00 PM

It is “news” because a large respected (in USA you are always respected if you are wealthy) company sends it out everywhere.

“Politically” motivated (and yes, US companies have “political” aims if it advances their own or their governments cause), as I am sure it is impossible to determine if the hackers even are geographically located in China. They could even be working for Google for all I know.

What we do not hear is that there were security holes in the gmail web application. That is how Microsoft would (unfortunately for themselves) state it, and everyone would curse them for that. Google instead brings out the evilness of the “Chinese” hackers and conveniently omits admitting that they have holes in their system.

haha.

sil • June 2, 2011 2:05 PM

It’s news because t’s part of the “U.S. Cybersecurity House of Nonsense” initiative

http://www.infiltrated.net/index.php?option=com_content&view=article&id=35&Itemid=41

S • June 2, 2011 2:07 PM

@ *&^%$#@!

Google have explicitly stated that the breach was not down to a security hole in Gmail.

Make of that what you will (of course, they don’t have to be telling the truth), but note that there are countless ways of gaining access to someone’s email without there having to be a security flaw in the email program.

hum ho • June 2, 2011 2:08 PM

@atanas entchev

Because they are trying very hard to push their 2-step verification system.

had to look that up but I can see that is why google wanted my cell phone number for my google groups account. yak.

anyway looks like their system was happy with the google HQ phone number I found on the internet for that.

jack • June 2, 2011 2:11 PM

“countless ways of gaining access to someone’s email without there having to be a security flaw in the email program.”

countless? and we are here discussing security as if it is something realistic and attainable. Does not look like it is, judging from what you are claiming.

S • June 2, 2011 2:45 PM

Countless.

Start from reading the Post-it stuck to their monitor, and see how many more you can think of from there.

S • June 2, 2011 2:47 PM

…& re. your last sentence, I’ll wait for Mr Hack to arrive & fill you in 🙂

jack • June 2, 2011 3:04 PM

@S
“Start from reading the Post-it stuck to their monitor, and see how many more you can think of from there.”

What lame s**t. I thought you can come up with something better than that.

Clive Robinson • June 2, 2011 3:47 PM

@ Jack,

“countless? and we are here discussing security as if it is something realistic and attainable.”

All security vectors have multiple ways of being exploited.

In this case the attack vector was to get a user to reveal their GMail username and password.

Spear fishing is but one way, giving out choclates on street corners in return for it has been another way that has worked.

As con artists know nearly everybody has a weakness all you have to do is find it.

That is the methods may be many and they might be fairly lame but if one person in a hundred falls for it and you send it out to a million people then you have 10,000 google usernames and passwords.

And as we know from parst experiance once you have one online password theres a reasonable chance it is the same for other online services that user has.

These are “fire and forget” attacks a bit like using a large net to go fishing, you drop the net in the water trawl along for a while and pull it up to see what you have caught. The point is you are not usualy out to catch a particular fish you are out to catch any fish that gets in the net. The probability of the former is very small whilst the latter is usually quite good.

Richard Steven Hack • June 2, 2011 4:43 PM

S: “…& re. your last sentence, I’ll wait for Mr Hack to arrive & fill you in :)”

It’s been a long night (and morning) so I’ll just let you reference me.

Actually, though, if Bruce thinks about it, the media – well, local media, anyway – posts news about every mugging (but oddly, rarely car theft) that happens. So just because it’s old or common doesn’t mean it’s not “news”.

“News” isn’t necessarily “new”, it’s just an event. They should call it “events”, not “news” because people misinterpret the word as meaning something they didn’t know already.

Of course, then one has to ask why anyone not directly affected cares about RANDOM EVENTS happening to people thousands of miles away. I generally don’t care unless I suspect it may actually have some sort of impact on me (or just for intellectual curiosity’s sake.)

“News” is for idiots. I’m more interested in “intelligence” which is useful and actionable. The “news media” should be replaced with “open source intelligence” gatherers. And maybe some “closed source” as well. The “news media” should be doing what Wikileaks does – and what the leakers who leak to Wikileaks do, namely dig up and expose all the crap the people who run this country are doing.

Like that’s gonna happen.

New meme: There’s no news (and no intelligence either.) Suck it up.

Dirk Praet • June 2, 2011 6:32 PM

Basically, the only news here is the increased attention mainstream media are paying to hacks and breaches. I don’t believe this to be an entirely bad thing as it well help a lot of security professionals to better convey their message to boards and CxO’s who until recently considered most of what we said fairytales and a waste of time and money.

What I’m not comfortable with is the frequency of both innuendo and direct accusations of the Chinese being behind these. Google, RSA, Lockheed Martin, L-3, Northrop Grumman … The list seems to be growing by the day. It doesn’t make sense for the Chinese to launch such an elaborate cyber espionage plan as there will inevitably be consequences to face if ever these can be positively traced back to them. Or if ever they have their own Bradley Manning. The only other explanation is that with OBL gone something or someone is going through great lengths to portray the Chinese as the next big threat to national security, softening the masses once again to tough new legislation for full government control over the free speech platform the internet is today.

If companies and governments want better cyber infrastructure security: start with getting the basics right and build multi-layered, resilient and redundant systems designed to better withstand attacks. Educate users and have decent contingency strategies in place. It works. Really. But I guess for some the idea of owning the entire playground is just way more appealing than making sure all toys are safe to play with.

BF Skinner • June 2, 2011 6:46 PM

@NobodySpecial ” faux news ” followed by things I have occasionally seen in the supermarket checkout line.

To which I can only say…Hah! Well played sir/or madam or other.

Tosk59 • June 2, 2011 7:08 PM

So, even if you have a personal account Google knows if/when you are a senior govt official, military, cabinet official, activist, journalist, etc. And that you either have or are receiving received phishing e-mails. How close an eye are they keeping on their customers’ activity?

Wayne Warren • June 2, 2011 7:14 PM

I think that in the long run, governments are the biggest threat to Internet security. No, I’m not paranoid.

What I mean is that the U.S. and other nations are employing thousands of people to conduct cyberwarfare. What happens when these people leave government employment with all this training, knowledge and tools? There’s bound to be a few that either through wrong-headed or just plain criminal motives will use what they’ve got.

Especially if they’re unemployed and are desperate for money.

noble_serf • June 2, 2011 7:49 PM

I don’t think it’s news. Whoever wants what is stored on “our” computers and networks will get it. Our government’s “cyber” security is nearly non existent when it comes to protection of data (although they’ve made it legal to steal “ours”) and I doubt industry is more than marginally better.

Andy • June 3, 2011 1:43 AM

This week’s spear phishing news cycle is actually in response to a new disclosure from Google, pretty well summarized by Kevin Poulsen: http://www.wired.com/threatlevel/2011/06/gmail-hack/

I’ve heard chatter in the valley that Google has significant actionable intelligence about the perpetrators of this phish, but I don’t have any personal knowledge. I would expect them to correlate browser fingerprints even if cookies are cleared, analyze other accounts linked through common browser sessions, and reverse-p0wn the attackers. They do take this kind of attack seriously and have a great security team.

Dmitry • June 3, 2011 2:30 AM

Official Google blog refers to this article as the description of the attack:
http://contagiodump.blogspot.com/2011/02/targeted-attacks-against-personal.html

The article was published on February 17, 2011, and it contains screenshots of phishing emails, which are dated as early as May 30, 2010.

So, even if we speak about this particular attack on Gmail accounts, it is at least one year old, but most likely it is much older.

Clive Robinson • June 3, 2011 2:59 AM

@ Tosk59,

“So, even if you have a personal account Google knows if/when you are a senior govt official military…. …How close an eye are they keeping on their customers’ activity”

Yup, I was wondering if somebody else would pick up on that.

But you forgot to ask the important question…

In which order do they know, before or after an attack?

That is do they automaticaly profile every user by the IP addresses and previous web page they connect from, the language etc they use and the company they keep and then associate the persons name to a real world warm body. Or do they wait untill they detect strange IP and previous web page behaviour and then associate to a warm body.

If you have a look at just how Google translates one language to another, you will realise just how easy it is for them to “know their customers” each and every one most intimately, and potentialy know such things as which way you are going to vote etc.

However as somebody else said, they are trying to get your mobile phone number to help in “account security” that may well be true but…

Has anybody else seen the “mobile phone number” take the place of the “social security number” in identifing people?

And how easy it is to get the tracking data on mobile phone numbers…

Gabriel • June 4, 2011 9:36 PM

Don’t worry. I think the media is starting to move on to lulzsec now. We’ll get to hear about them and anonymous and Sony and tupac. And now some affiliate of the FBI. With FBI highlighted in bold letters in a large font to indicate how much of a threat these rogue cyberwarriors are to our government.

Tyler Thompson • June 5, 2011 2:37 AM

@Clive Robinson

Google services are already shaky from the TOR client. I was messing with TOR the other day (for the first time) and accessing even the Google homepage is challenging from HTTPS. It prompts for a CAPTCHA-like response, but the script seems to be built to auto-deny even when the characters are typed correctly. I tested it for probably twenty minutes until I decided to move on…

Clive Robinson • June 5, 2011 5:50 AM

@ Tyler,

“Google services are already shaky from the TOR client.”

I have not tried any service with TOR in a very long time.

The reason is I’m not happy with TOR as a security technology is due to knowing that it has issues due to traffic analysis, low latency and the real topology of the Internet.

However that aside, I can see Google wanting to put a “spam throttle” on anonymous access, hence the Captchers.

But this in it’s self opens up a question, was the capatcher in response to a TOR node address or to HTTPS….

If the TOR IP address is found to be the case then it is the case that Google are activly monitoring the IP addresses of users. Which in Googles case means they are logging them away in a database presumably via other geo-organisational information they are also rumored to keep (a legacy of their WiFi location hovering activities).

It might prove usefull research to investigate further as publishing such information as a research paper could be a “name maker”.

From a more general point of view I would advise people to think of Google, GMail etc as a “post card” service not a “letter service”, that is anything and everything you send their way is effectivly public not private.

[As a side note I personaly deem it highly likley that HTTPS trafic to Google is no more secure than ordinary HTTP when it comes to the likes of US three letter agencies and I think it is as likley that the senior levels of Google are fully cognizant of that for a fairly obvious reason.]

iain • June 5, 2011 2:43 PM

@Clive Robinson

the webmail draft folder thing is old news. Hotmail was seeing that back in the mid 2000’s and they introduced checks to counter it. I’d be surprised if GMail is not alos doing those types of checks also

Tyler Thompson • June 5, 2011 5:58 PM

@Clive Robinson

I posted the image and a brief explanation here:

http://tylerthompson.info/research/tor-issues/

I tried it again today, and the issues were recurring. I will have to dig in a little deeper to see what is going on. As I note at that link, I was once watching YouTube in a TOR session when the Flash Player crashed and an error message came up in Chinese. I thought that was worth looking into, but I haven’t had a chance to.

That being said, I don’t use TOR for much more than research and the occassional spoofing of the external IP address.

Czerno • June 12, 2011 5:05 AM

@Clive, others :

Tor node IP-addresses are public, by design. Ergo for the purpose of identifying Tor users, there is no need for Google or whomever to build and administer secret lists or whatever geolocation trickery; this was so decided as to make the Tor network more acceptable, or less suspect looking in the eyes of the powers that be.

Also, it’s Tor not TOR. Please try and not scorch the name everytime ;=)

https://www.torproject.org

Schneier on Security