Gmail Spear Phishing Attack May Affect Hotmail, Yahoo Mail

Security researchers say that a Gmail spear phishing attack targeting high-profile users might have spread to Hotmail and Yahoo Mail services, while it remains uncertain if the attack, originating from China, was state-sponsored.

Google disclosed earlier this week that hundreds of Gmail users, including military personnel, senior U.S. government officials, Chinese political activists, South Korean officials and journalists, were targeted in a sophisticated spear phishing attack , appearing to be sourced from Jinan, China, that attempted to infiltrate their e-mail accounts and monitor communications.

The attackers were able to hijack user accounts by employing social engineering scams that enticed victims to click on links that redirected them to phony Gmail login sites. In reality, the fake login sites were created by the hackers to trick users into submitting passwords.

The Gmail spear phishing attacks follow almost two months after Google reported that attackers were exploiting a publicly-disclosed MHTML vulnerability targeting journalists and political activists using its services.

Independent security researcher Greg Walton reported that the Gmail vulnerability exploit, affecting users running Internet Explorer, was targeting journalists and political activists , propagating with a phishing message spread over Facebook.

Recently, researchers at Trend Micro found that Hotmail and Yahoo Mail fell victim to similar phishing attacks, although it’s unclear if the attacks affecting Gmail were related.

During the attack against Hotmail, users were subjected to a phishing e-mail that pretended to be from the Facebook security team. Users became infected with malware simply by opening the e-mail, without be required to click on a malicious link.

In addition, Yahoo Mail users were also targeted in an attack that attempted to swipe users’ cookies in order to access their e-mail accounts. During the attack, miscreants sent Yahoo Mail users an e-mail containing two attachments, one being a malicious document and the other a flawed cross-site scripting exploit, ultimately rendering the attack unsuccessful.

Nart Villeneuve, Trend Micro senior threat researcher, said in a blog post that the diverse series of attacks against e-mail services indicate that attackers are finding new and increasingly sophisticated ways to infiltrate users’ Web mail accounts and access their information.

’These events demonstrate that in addition to targeted attacks that encourage users to open malicious attachments, usually PDF and .DOC files, attackers are also attempting to exploit vulnerabilities in popular Web mail services in order to compromise Web mail accounts, to monitor communications and to gain information in order to stage future attacks,’ he said.

Mike Paquette, chief strategy officer at Top Layer, said that while the motivations for phishing continue to be identity and IP theft as well as political activism, the recent Gmail and other Web mail attacks indicate the growing trend of phishing becoming more complex and automated as users become savvier to perpetrators' tactics.

’Phishing attacks are becoming more targeted and are using more target-relevant context to lure the recipients into providing information,’ Paquette said. ’Phishing attacks are requiring less user intervention. In fact, today, many of these attacks are no longer directly asking users to provide sensitive information, but instead rely on tempting the user to click on a hyperlink, launching their Web browser to a malicious Web site that will remotely exploit their computer, depositing malware that will simply steal the sensitive information and extricate it.’

Next: Researchers Say Phishing Attack Origin Still Uncertain

Paquette added that high-profile organizations, such as Google, needed to be adequately prepared in the almost inevitable event of a cyber attack.

’If your organization has any electronically stored information that could be of value to someone or some other organization, then you should assume that an attempt to access it will be made through some type of cyber attack or social engineering attempt,’ he said. ’Email accounts of government officials or political figures clearly fall into this category.’

However, whether the attacks are state sponsored, or even originate from China, is yet undetermined, security experts say.

Google was quick to publicly point to China as the source of the Gmail phishing attacks , eliciting a strong reaction from Chinese officials, who deemed the search giant’s accusations ’unacceptable.’

Paquette contended that he suspected ’Google has collected a great deal of data to support its claims, and that they are not overhyping the attack.’

However, other security researchers say that Google might have been too hasty in pointing fingers.

Jayson Street, security researcher and author of the book ’Dissecting The Hack,’ said that a phishing attack sourced from China didn’t necessarily imply that it was state sponsored.

’It’s easier to say ’we were attacked by a nation state’ than to say ’attackers got into our systems with a vulnerability we weren’t aware of,’’’ he said. ’It’s convenient. No one’s taking the time to look at the issue.’

Marcus Carey, researcher at security firm Rapid7 and former NSA employee, said there was a strong chance that the attacks were attributed to Chinese hackers, spread by civilians running pirated software or outdated operating systems. Carey pointed out that a vast majority -- an estimated 80 percent -- of computer users in China were running pirated software.

’That means they don’t get patched,’ Carey said. ’They’re rampant with viruses. People don’t care what computer they use for a botnet. When you’re running bootleg software, that’s what the malware is going to do.’

Street said that another possible scenario was that the attack was launched from the U.S., or anywhere else, by hackers using a rented Chinese botnet.

’One scenario is just as likely as another scenario,’ he said. ’If all we do is blame China, we’re not going to find out who the real attacker are. We want to find the attackers, not just create a scapegoat. It’s not the easiest thing to do, but it’s the right thing to do.’