New details about the cyberthefts at Google last December seem to prove one thing: even the best of us can fall for routine hacker tactics.
As The New York Times reported yesterday, the initial attack was pretty run-of-the-mill by common security standards.
The theft began with an instant message sent to a Google employee in China who was using Microsoft’s Messenger program, according to the person with knowledge of the internal inquiry, who spoke on the condition that he not be identified.
By clicking on a link and connecting to a “poisoned” Web site, the employee inadvertently permitted the intruders to gain access to his (or her) personal computer and then to the computers of a critical group of software developers at Google’s headquarters in Mountain View, Calif. Ultimately, the intruders were able to gain control of a software repository used by the development team.
What the Times describes seems to be either a phishing or spoofing attack, whereby a hacker sends a mark a malicious link to a poisoned Web site that downloads malware into the mark's computer (spoofing) or attempts to harvest user names and password (phishing). (You can find an explanation of the difference between the two attack-styles here from Microsoft's Terry Zwick. You can also find his breakdown of the Google attack here.)
Countering these types of scams is pretty simple: don't click on links in e-mails or instant messages that do not come from trusted sources.
(Last June, YouTube warned of spoofed e-mails phishing for user names and passwords.)
But as The Washington Post reports today that's easier said than done it seems.
The hackers relied on similar ruses—phishing or spoofing attacks or both— to dupe high-level administrators and executives from at least 30 more companies to compromise their computers, which then allowed the hackers to access company networks.
George Kurtz, worldwide chief technology officer for McAfee, told the Post that "hackers are mounting ever more sophisticated and effective attacks that often begin with a ruse familiar to many computer users -- a seemingly innocuous link or attachment that admits malicious software."
And while the initial attack was fairly routine, that doesn't mean the operation wasn't sophisticated. "The attacker really did their homework finding out first who to attack, who the key people were in the organisation and how to attack them," Mikko Hypponen of security firm F-Secure told BBC News.
"What can we learn from this," Martin of Ghacks.net asks rhetorically.
"At least some Google employees fall for phishing and other attacks just as easily as the average Internet user," he answers.
And that's far from a comforting answer for most Web users.
♦ Computer Security by °Florian/Flickr