Google Cyberattack Used Run-of-the-Mill Attack Method

By Matthew Harwood

New details about the cyberthefts at Google last December seem to prove one thing: even the best of us can fall for routine hacker tactics.

As The New York Times reported yesterday, the initial attack was pretty run-of-the-mill by common security standards.

The theft began with an instant message sent to a Google employee in China who was using Microsoft’s Messenger program, according to the person with knowledge of the internal inquiry, who spoke on the condition that he not be identified.

By clicking on a link and connecting to a “poisoned” Web site, the employee inadvertently permitted the intruders to gain access to his (or her) personal computer and then to the computers of a critical group of software developers at Google’s headquarters in Mountain View, Calif. Ultimately, the intruders were able to gain control of a software repository used by the development team.

What the Times describes seems to be either a phishing or spoofing attack, whereby a hacker sends a mark a malicious link to a poisoned Web site that downloads malware into the mark's computer (spoofing) or attempts to harvest user names and password (phishing). (You can find an explanation of the difference between the two attack-styles here from Microsoft's Terry Zwick. You can also find his breakdown of the Google attack here.)

Countering these types of scams is pretty simple: don't click on links in e-mails or instant messages that do not come from trusted sources.

(Last June, YouTube warned of spoofed e-mails phishing for user names and passwords.)

But as The Washington Post reports today that's easier said than done it seems.

The hackers relied on similar ruses—phishing or spoofing attacks or both— to dupe high-level administrators and executives from at least 30 more companies to compromise their computers, which then allowed the hackers to access company networks.

George Kurtz, worldwide chief technology officer for McAfee, told the Post that "hackers are mounting ever more sophisticated and effective attacks that often begin with a ruse familiar to many computer users -- a seemingly innocuous link or attachment that admits malicious software."

And while the initial attack was fairly routine, that doesn't mean the operation wasn't sophisticated. "The attacker really did their homework finding out first who to attack, who the key people were in the organisation and how to attack them," Mikko Hypponen of security firm F-Secure told BBC News.

"What can we learn from this," Martin of asks rhetorically.

"At least some Google employees fall for phishing and other attacks just as easily as the average Internet user," he answers.

And that's far from a comforting answer for most Web users.

♦ Computer Security by °Florian/Flickr


Extended Validation SSL

It's unfortunate that Gmail is having these issues, but their reluctance to address security problems has led to some serious gaps...the issues in China that you bring up, for example, could easily be aided by implementing extended validation ssl (the green url bar) or some kind of multiple factor authentication...though neither are the standard for free web-based email services, they may need to be very soon. Hopefully, however, most people know not to type their password into an email,  but working for VeriSign I've seen my fair share of situations that I always I err on the side of caution. 


View Recent News (by day)


Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.