Gmail security and recent phishing activity

Tuesday, November 25, 2008 1:22 PM



We've seen some speculation recently about a purported security vulnerability in Gmail and the theft of several website owners' domains by unauthorized third parties. At Google we're committed to providing secure products, and we mounted an immediate investigation. Our results indicate no evidence of a Gmail vulnerability.

With help from affected users, we determined that the cause was a phishing scheme, a common method used by malicious actors to trick people into sharing their sensitive information. Attackers sent customized e-mails encouraging web domain owners to visit fraudulent websites such as "google-hosts.com" that they set up purely to harvest usernames and passwords. These fake sites had no affiliation with Google, and the ones we've seen are now offline. Once attackers gained the user credentials, they were free to modify the affected accounts as they desired. In this case, the attacker set up mail filters specifically designed to forward messages from web domain providers.

Several news stories referenced a domain theft from December 2007 that was incorrectly linked to a Gmail CSRF vulnerability. We did have a Gmail CSRF bug reported to us in September 2007 that we fixed worldwide within 24 hours of private disclosure of the bug details. Neither this bug nor any other Gmail bug was involved in the December 2007 domain theft.

We recognize how many people depend on Gmail, and we strive to make it as secure as possible. At this time, we'd like to thank the wider security community for working with us to achieve this goal. We're always looking at new ways to enhance Gmail security. For example, we recently gave users the option to always run their entire session using https.

To keep your Google account secure online, we recommend you only ever enter your Gmail sign-in credentials to web addresses starting with https://www.google.com/accounts, and never click-through any warnings your browser may raise about certificates. For more information on how to stay safe from phishing attacks, see our blog post here.
The comments you read here belong only to the person who posted them. We do, however, reserve the right to remove off-topic comments.

26 comments:

Robert said...

Thank you for the information.

Boundlessdreamz said...

Thank God!. I was getting worried. But how exactly was it determined that all the users were phishing victims ? Also was makeuseof.com admins contacted ? Were they also victims of phishing attacks ?

sb said...

Better in that way, we are a lot staying in calm!

California Jurist Michael Ehline said...

Wow. I am so stoked that Matt Cutts puts this info out there on Twitter and Friend Feed. Till him, I thought Google was a bunch of jerks who hated web masters. Keep the Tweets a comin Matt.

Lakshman Prasad said...

U could use this post to ask users to "Use Chrome than IE, for better security" A marketing opportunity missed. ;)

Robert said...

@ Laksham Prasad: You are assuming that Chrome IS more secure? :P

Wayne said...

Really Chrome is secure? Maybe more than FireFox.. but then again my Toaster is more secure than FireFox.

Chego said...

Aibek, the guy behind MakeUseOf.com pointed 5 fingers at Google !!! and now thats a perfect reply. Thanks!

Clément said...

Some websites sometimes suggest to look for contacts already using the service by entering our gmail address and password. How can we be sure they won't store our login information ?

Abhijeet Mukherjee said...

I am happy to know that Gmail is secure. However there are 2 things which we need to consider :-

1. It's highly unlikely that tech savvy people who are the authors of reputed tech blogs like MakeUseOf will fall prey to a phishing email.

2. If, according to the Gmail team, the hacker got access to victim's gmail accounts then why did he just created a filter and left it ? Why didn't he change the passwords and tried to get more information out of the account ? Even if his intention might have been just to capture the domain, I don't think a hacker would just leave a gmail account with vital information, after creating a filter. So may be he didn't get access to it. May be he just ran a script and created a filter.

There could be other things. I love Google and Gmail but for some reason I am finding it hard to blindly trust you guys on this matter. I just hope that this thing doesn't happen again to anyone.

Brian said...

I have seen this happen to several people. The issue is not phishing.

In all cases, filters were injected into their gmail accounts via other sites while they were logged into, but not at, gmail or other google sites. Their gmail password was not compromised.

Filters are set up to silently forward emails to an outside account, often in Vietnam.

The most common case involves finding a gmail address associated with a domain registered through godaddy. From godaddy's site, they can initiate a domain transfer to another godaddy account that they have set up. The confirmation emails with an easy, one click, "secure" link that godaddy sends to the gmail address they have on file are then silently moved (by the filters) to the attacker's outside email.

With the email, they can click the link and take ownership of the domain. They then transfer it to an external registrar.

Good luck dealing with ICANN if this happens to you.

They often try to ransom the domain back to you. If this happens, you can get the FBI involved.

Richard M. said...

Hey Chris, I contacted Aibek over at MakeUsOf and he said no one from Google has contacted him. I'm curious who the GMail team spoke with since his site was one of the biggers one referencing the old exploit?

Gregor said...

Any chance that GMail Notifier will also honour the "Always use https?" setting for polling and upon a double-click?

Bernd Paysan said...

All freemailers I know have a much bigger vulnerability: There's only one password, used for both administatrive and usage tasks. This is a deadly sin. If you work on an untrusted PC or in an open environment (Internet cafe), your password is at risk. With the administrative capabilities, the account thief then can change password, secret question, and secondary e-mail. Then it becomes quite difficult to get your account back (a friend of mine has already lost two accounts that way - and apparently in Vietnam, the support query to Google doesn't work - Vietnam seems to be the center of Google Mail attacks ;-).

It would be very helpful for such environments if there was a mere-use login password, which would not allow to do any harmful changes (that includes deleting e-mails). Only normal communication should be possible.

I don't consider freemailers with the current authentication architecture "secure", unless you use a controlled PC (your own, free of trojans and without people looking over your shoulder) to access them. Wrong thinking: Especially freemailers are used in untrusted environments.

Håkan said...

I do not know if the problem I encountered today with my gmail account has anything to do with this problem, but someone managed to use my gmail address and gmail address book to post a spam email to all people in my address book using my gmail address as sender.

Long Islander said...

I have been the victim of a few type of attacks. One in which I received an email telling me about a job, and so I opened the email and visited the site to see if they are legit. Once I visited the site, there was malicious code that automatically hacked my email account and sent an email to all of my contacts, telling them the same thing, they have a job and to see if they are interested...how can this happen??

Franzi said...
This comment has been removed by the author.
Michael said...

I don't care what they say there is something wrong with gmail right now! I only access my gmail through MY mac and iPhone. I never use a web browser because it is all set up through Apple Mail. The other day I accidently clicked on the sent mail from server & noticed all these emails sent from my address. There is nothing being sent from my Mac just of a web browser so I changed my password & security question from a random letter/number combination to another new one. Well guess what in the two days since I did that it has sent out more & I have not had my Mac on since I did it. Google needs to look into this right away so my address does not get black listed. Of course it would help if I could contact them to report this but there is nothing that I can find.

yulianto said...

I loss my gmail too. I lost my adsense account. I'm that that stupid to fell for a phishing scheme. I've send email to google prof that I own the account. But they did not reply. I will keep struggle to have my account back.

Aswin Anand T.H. said...

https://www.gmail.com/ shows a certificate error.

Chris said...

Thanks all for your great comments.

@Clement: that's a great question. We recommend you only enter your Google credentials to Google owned properties. Entering them elsewhere risks phishing, or having them stored and handled less securely than with Google. We support OAuth for contact list access. Sites should be using that to request access to your contact list. Check out the post preceding this one for more.

@Abhijeet / Brian: this really is a case of a large scale phishing scam. From a technical point of view, it's easily possible to distinguish phishing (or other causes of credential loss such as malware downloads, inappropriate credential reuse, browser compromise etc.) from web app bugs. Unfortunately, the scammers are becoming extremely sophisticated and are capable of tricky techniques that can deceive even tech savvy people. Some examples include highly targeted phishing campaigns, professionally created e-mails and web pages, plausible sounding domain names, and even SSL certificates for these fake domains. The filter issue is widely misunderstood. The bad guys have simply determined that precision filters are the best way to achieve their goals. They don't want to change your password because that gives away their presence in an account, and all they are waiting for in this case is interactions with the domain registrar.

@Aswin: you can use https://mail.google.com/ in all browsers. https://www.gmail.com/ needs something called "SNI" support. Firefox and Opera have had this for a while. I believe Chrome and IE7 have it when used on Vista.

penfold said...

I came across this blog after my wife asked me to look into how gmail account can get hacked.

Over the course of last month or so her class mates and activists have had or having their gmail account hacked. Where emails have been forwarded, new emails sent out and passwords being reset; in one instance a de-activated account was re-activated and used. I am dumbfounded how it is being done, we are talking about 10 to 15 accounts over a weekend.

I thought about key-loggers, brute force. The phishing could example of a couple of instances but not the send out of new emails from their account.

So if you have any advice or recommendation that would be great. I initially told them to send an email to google about it and then where JUST direct to "take the matter to the police" which I was shocked to hear.

SD said...

My wife's email was hacked and deleted. She was able to access it on friday and saturday when she logged in, it said cannot find account. Now when I reply to email from her, I get an error saying: Account not found.

This also means that google picassa photos were lost, all sensitive information in emails was lost, probably credit card information in google checkout is not "secure" anymore. Also lost many documents in google docs.

Recovery page does not help.

I am not concerned: How safe is it to use gmail or google services. What if my account gets deleted?

Ezfetish said...

i dont know how but i know for sure that one guy read all mails
i didnt give him my password he dont have access to my computer
my email is - amoslevy@gmail.com
the guy that read my mails - smgjsk@gmail.com

Lwin said...

January 19
I've got big trouble now.Someone hack of my gmail account. He did stupid things with my account. Now i can't open its and he change of my password
my email is - streetracer7288@gmail.com
Who can explain for that. plz contact to me
kevin.007@hotmail.co.uk

Chris said...

To regain access to an account, please see this form. This link to the Gmail privacy and security page contains some great information too, including how to avoid being a victim of phishing, malware, browser bugs, etc.