Earlier this week Google disclosed that its Gmail email system had been compromised via a spear phishing attack. Login details of Chinese political activists and several senior US and South Korean government officials, including top military personnel and journalists, were stolen.
Spear phishing is a highly targeted version of a phishing email with an official-looking message sent to a single person or very small group of people with the intention of getting them to reveal password and other sensitive login information.
Google claimed that the attacks originated in Jinan, the capital of Shandong province in China. It stopped short of directly naming those responsible, however.
"The goal of this effort seems to have been to monitor the contents of these users’ emails, with the perpetrators apparently using stolen passwords to change peoples’ forwarding and delegation settings," the search giant said on its blog.
"Google detected and has disrupted this campaign to take users’ passwords and monitor their emails. We have notified victims and secured their accounts. In addition, we have notified relevant government authorities," the post continued.
Given that senior US government officials were targeted it’s no surprise to see US Secretary of State Hillary Clinton comment on the matter: "These allegations are very serious," she told reporters. "We take them seriously. We are looking into them," before adding that the FBI will be conducting an investigation into the incident.
David McLeman, managing director of Google Apps partner Ancoris, praised Google’s security measures and the speed of their response. "This breach has not come about through any vulnerabilities in Google’s security systems," he told CBR. "The most interesting thing about this attack, however, is that Google was aware of it very early on, which meant the number of users affected was limited."
"Google has excellent intrusion detection systems that monitor and flag any unusual behaviour in its Gmail accounts. For example if a UK Gmail user had responded to the recent phishing e-mail and then their account was accessed from a Chinese IP address, Google will automatically alert this unusual activity to the account user," McLeman added.
The use of spear phishing was significant, according to Jelle Niemantsverdriet from Verizon Business. "Recent spear phishing attacks have demonstrated just how much the intellectual property of businesses and the privacy of individuals are at risk," he said.
"From our findings in the 2011 Verizon Data Breach Investigations Report, last year saw the total number of records comprised fall to an all-time low, from 144 million in 2009 to four million in 2010," Niemantsverdriet added. "This is because hackers are using techniques such as spear phishing to target a smaller number of email accounts, with accounts belonging to top level executives often containing the most valuable data."
Turning his attention to the reporting of the attack Jon Geater, director of technical strategy at Thales e-Security, praised the coverage.
"Widespread reporting of this issue has been refreshingly plain and understanding," he wrote. "I fully expected to see tales of cyber war, Google-bashing and condemnation of Cloud Security arising from this but instead it seems people (by which I mean mainstream media) are starting to get the idea about things like Spear Phishing, and understand this attack for what it was."
"Insidious, yes. Worrying, certainly. Important too but the point is this specific attack is not where the damage is being done: that comes later when the information harvested is exploited," he added. That people are beginning to understand these subtleties of online security is truly a good thing. Now all we need to do is fix the systems that make these attacks so easy on all but the most wary of prey. So that’s just DNS, HTTP, web browsers, HTML email…"
So what does this really mean for businesses? Google has been pushing its cloud-based Apps suite as a viable alternative to Microsoft in the enterprise. Do incidents like this mean that it simply isn’t secure enough for businesses to use?
"Google added two-factor authentication for corporate users of Google Apps for Business in 2010 and has now released this for all Gmail users. This enhanced verification requires two independent factors for authentication, much like you might see on your banking website: your password, plus a code obtained using a smartphone app or via a one-time text sent to a registered mobile. This protects Gmail accounts from exposure even if the user did inadvertently disclose their login credentials," said McLeman.
"Security is an area Google invests a lot of research into, particularly focusing on building access controls into its applications from the start. The incident has highlighted the level and success of Google’s security procedures and their understanding of online applications," he added.
The problem isn’t specific to Gmail, according to Chester Wisniewski from security firm Sophos. "It is a widespread security weakness in many cloud services," he wrote. "Google sharing information with the public about how these attacks are executed helps all of us learn from these situations and build better systems. How should we respond to this news? We should take a moment to remind our users about best practices when using web-enabled technologies."
"If you are ever presented with a login screen in your browser and you didn’t type in the address of the site you are trying to visit, close the window. Only enter your password into pages where you entered in the URL," Wisniewski added.
Sophos offers additional tips for securing your Gmail account, including setting up two-step verification, checking to see if your messages are being forwarded without your permission and choosing a unique, hard to crack password.