“We’ve gotten reports about some users being signed out of their accounts unexpectedly. We’re investigating, but not to worry: there is no indication that this is connected to any phishing or account security threats.” (Google product manager, Crystal Cee)
Well, what do you expect them to say? Let me translate the above comment.
We have no idea what’s going on. However, we don’t want you to panic. That’s not good for our brand image. Since we really don’t know what’s going on, we, of course, can’t rule out the fact that this might be related to some kind of hacking attempt.
The reason everyone is so paranoid about this is because of a successful phishing scam launched against Gmail users in January. It is probably still making the rounds.
If you have not heard about this fake login page scam, here is, briefly, how it works. First of all, you get an email from one of your Gmail contacts. The email may even have a similar subject line, message, and attachment that you have previously seen from this contact. However, the attachment, often appearing as a PDF image file, is not what it seems. If you click on it, it will take you to a fake, but exact copy of, a Google account login page.
If you don’t look carefully at the URL, you may just assume you have to log in to access the attachment. Unfortunately, if you do this, you compromise your account. It is now in the hands of the hacker, and now all of your contacts can be attacked in a similar manner. The URL will read.
In other words, if you look only at the “https://accounts.google.com” section, you may think all is well and enter your data. Almost as soon as you enter your login information, the attacker enters your account, which probably means that this is an automated process. In fact, the bots involved seem to be programmed to look for any email you sent with an attachment and send copies of this to all of your contacts but with the phishing attachment. They can also sort through all of your sent/received email and harvest it for information that they could use in any number of ways. No information on the extent of the damage done by this scam has been forthcoming.
In a previous post, I showed how Russian hackers could have used a fake Gmail login page to fool members of the DNC. The phishing email, like the one sent to John Podesta, looked like this.
The “Change Password” link led to a fake Gmail sign-in page like the one above. I’m not much of a coder, but I was able to create a clearly fake sign-in page (shown below) which then leads to a password page for the person I signed in as. Sorry, John Smith.
If I then used some techniques to spoof the URL address, the attack would have a chance of success. In the actual attack, if you hovered the cursor over the “Change Password” box in the phishing email, you would see that a bit.ly URL was used to hide the destination. That destination is a URI (yes, URI not URL) data link that disguises the true URL.
On February 24th, Google claimed that they had inhibited this type of attack by having a security message appear in the address bar anytime a data URI link is targeted. It is, then, up to the user to determine if they continue to the site or not.
With widespread media coverage of the above scam, it was no surprise, then, that, recently, when people were suddenly locked out of their Google accounts and told to sign in again, they were understandably nervous, despite the attempt at reassurance given by Google which I quoted at the beginning of this post. Although no detailed explanation of the problem was given, Google apologized to users who had to do factory resets on their Google Wi-Fi and OnHub devices, something guaranteed to irk users. There was no apology to users who were locked out of their accounts, however.
And just when Google thought things could not get any worse, they did. NeoSmart Technologies discovered a new hack making use of Google’s Chrome browser. This one scrambles the text on a visited page into symbols and gives the user the following message.
However, clicking the “Update” button will eventually download a file that will not be recognized as malicious by most antivirus programs. It is not clear what running the malware will do, but one user claimed all of his files disappeared. This could be ransomware or simply someone stealing information. The Malware Traffic Analysis website agrees with my ransomware assessment and has also found the malware associated with DDoS botnets, more specifically, the Madness Botnet, which researchers have called, “the most dangerous or advanced botnet out there”. Interestingly enough, you can buy it online. Since it is also offered on a Russian site, there is a better than average chance that’s where it originates.
The Chrome font malware has also been reported on Internet Explorer browsers. For a comprehensive study of the complexities of this malware, see this website.
Yes, it’s been a tough two months for Google and the recent attacks on its products could be the reason why they expanded and raised the amounts offered in their bug bounty program. This may or may not yield benefits. It didn’t stop the Gooligan malware attack which has compromised over a million Android devices and continues to do so at a rate of 13,000 a day through compromised apps from Google Play. That’s right. Another attack on Google products. But this one has a solution. If you’ve recently downloaded any apps from Google Play, go to this website and see if you’ve been infected. Happy Googling.
Secure Your Workplace Network 