Google said Wednesday that personal Gmail accounts of several hundred people, including senior U.S. government officials, military personnel and political activists, had been exposed. Google traced the origin of the attacks to Jinan, China, the home city of a military vocational school whose computers were linked to a more sophisticated assault on Google’s systems 17 months ago. The two attacks are not believed to be linked.
The security blog contagio first reported on this problem on February 17, 2011. The contagio post, by Mila Parkour, reported that government officials were being targeted with spear-phishing attacks. The spear-phishing emails were carefully crafted to appear as real email from government agencies. The messaging in the fake emails was carefully crafted to appear genuine. The emails had attachments or links which, when opened, tricked the recipient into disclosing their gmail credentials. The contagio post shows several examples of these spear-phishing emails. contagio reported that after obtaining the credentials,
they [the hackers] login to the victims gmail account and may do the following:
- Create rules to forward all incoming mail to another account. The third party account ID is made to closely resemble the victims ID
- Read mail and gather information about the closest associates and family/friends, especially about frequent correspondents.
- Use the harvested information for making future mailings more plausible. Some messages are empty while others may have references to family members and friends (e.g. mention names of spouses or refer to recent meetings) and plausible enough to generate responses or conversations from victims. We are not posting those examples due to personal nature.
- Send such emails on monthly or biweekly basis . The messages are different like you see below but all have have the same link and designed for updating the victim credential information they already have.
In response to schemes such as this, Iconix has released SP Guard.
SP Guard modifies the email client’s display to provide a visual indicator of the identity of the sender of email. This is an example from Outlook, the popular business email client, in which a company called “MyCo” is marking their internal messages as well as those from trusted partners such as their law firm. Note especially the last message, though seemingly benign, is a spear-phishing message and is not marked as authentic:
SP Guard provides the email recipient with three easy to recognize confirmations that a message is really an internal email or from a trusted counterpart:
- List View. There is an integrity indicator in the list view of the email client.
- Message. The open message has a further indicator of authenticity.
- Mouseover. Mousing over the authentication indicator in the message prompts the display of a certificate that further identifies the sender.
SP Guard is available now from Iconix.
To learn more, visit us at http://www.iconix.com/business/spearphishing.php.