Last week, for the second time since June, Google warned his Gmail users of possible state-sponsored attacks. According to Mike Wiacek, a manager on Google’s information security team, Google started to alert users to state-sponsored attacks three months ago. Meanwhile the security team has gathered new intelligence about attack methods and the groups deploying them, and that information was used to warn “tens of thousands of new users”, possible targets of the attack.
Apparently this increase in state-sponsored activity comes from the Middle East, although no particular countries have been explicitly quoted.
This is not the first time that Gmail is the target of alleged state-sponsored attacks, unfortunately the secrets hidden inside the mailboxes have proven to be a too tempting target for states without scruples.
June 5, 2012: Eric Grosse, Google VP Security Engineering issues a Security warnings for suspected state-sponsored attacks.The warning seems more a preventive measure than the result of a true campaign.
September 8, 2011: As consequence of the infamous Diginotar Breach by the so-called Comodo Hacker, Google advises its users in Iran to change their Gmail passwords, and check that their Google accounts have not been compromised. Several Iranian users who may have been hit by a man-in-the-middle attack are contacted directly.
June 1, 2011: In an unusual blog post, Google declares to have discovered and alerted hundreds of people victims of a targeted “phishing” scam originating from Jinan, the capital of Shandong province. Hackers aimed to get complete control of the personal Gmail accounts of hundreds of users including, among others, senior U.S. government officials, Chinese political activists, officials in several Asian countries (predominantly South Korea), military personnel and journalists. Google does not rule out the possibility of the attack being state-sponsored, although China firmly denies Gmail hacking accusations.
January 13, 2010: In a blog post, Google discloses the details of the infamous Operation Aurora. A highly sophisticated and targeted attack on its corporate infrastructure originating from China that resulted in the theft of intellectual property from Google. At least twenty other large companies from a wide range of businesses have been targeted, but the primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists (only two Gmail accounts appear to have been accessed with limited damage). As part of the investigation (but independent of the attack on Google), it turns out that the accounts of dozens of U.S.-, China- and Europe-based Gmail users, advocates of human rights in China, appear to have been routinely accessed via phishing scams or malware placed on the users’ computers.
State-Sponsored attacks or not, setting a complex password and enabling 2-step verification are two effective countermeasures to mitigate the risk.
An Advanced Anti-Malware solution can be really effecive as well, such as Lastline. It is not a coincidence that Wepawet, based on our technology, was the first to detect the Internet Explorer “Aurora” Memory Corruption exploit behind the state-sponsored Operation Aurora.
In the last few days I have received a couple of advises regarding the fact that some URL filter engines flagged several pages of my blog as malicious. One page in particular appears to have been inserted inside the category of Malicious sites.
Unfortunately so far I have not been able to identify the URL Filter technology that has categorized that page as malicious and. Of course, I would greatly appreciate if someone who encountered the same problem could be so kind to provide me some additional details. In any case I believe that the semantics of the site (probably full of long links and terms as “malware”, “hacking”, and so on) has tricked the content filter engine (why apparently just that specific page has been affected, is something I cannot explain right now).
In any case I want to give you a couple of useful suggestions to handle similar occurrences and to make reasonably sure that a web page does not hide web based exploits.
If you have similar doubts for unknown binaries, you can analogously submit them to Anubis (Analyzing Unknown Binaries), a cloud-based service with a sandbox for analyzing malware, which provides a complete and detailed report about malware activity (it executes the binary on-the-fly hence does not need a-priori knowledge). Anubis may also check if a certain URL is the vector for a possible drive-by download or similar attack, by showing the Activity of the page inside Internet Explorer.
Android APKs may be also submitted to its variant Andrubis, which runs them inside an Android sandbox providing a detailed report (the icon is really pretty cool isn’t it?).
All the above services are free for internal use and have been brought to the next level by Lastline, Inc., my current company, which has developed a commercial version of the same technologies in its advanced malware detection and mitigation solution.
Of course I checked the incriminated page of my blog with Wepawet, and I did not find any web-based exploit… At least so far… Meanwhile, if you encounter the same issue on one of my blog pages, I would greatly appreciate if you could notify me.