Can Google Know Where the Gmail Attack Came from?

The company blames China, but none of the evidence is definitive—which is the nature of such attacks.

On Tuesday, Google revealed a new spate of attacks aimed at Gmail users, and said the attacks appeared to have come from Jinan, China. The new attacks illustrate the difficulty of stopping hackers who use simple “social engineering” tricks to steal personal data, and they raise questions about how such attacks can ever be traced with certainty.

Personal accounts belonging to U.S. government officials, Chinese political activists, military personnel, and journalists were targeted, the company said in a blog post. Google has pointed to Chinese hackers before—in early 2010 it said attackers from the country had stolen its intellectual property and tried to access the Gmail accounts of human rights activists. The Chinese foreign ministry has vigorously rejected the idea that the Chinese government was responsible for the attacks.

Google says the attackers did not exploit any security holes in the company’s e-mail service. Instead, they involved tricking users into sharing their log-in information. Carefully tailored messages, apparently written by a friend or colleague, were used to direct victims to a fake log-in page where their details were captured. This technique, known as “spear phishing,” was also used recently to steal information from the prominent security company RSA—information that may have been used to perform further attacks on the company’s customers.

Experts say this type of attack is hard to stop; unlike other types of attacks, there is no technical fix. “I think of incidents like this more as a series of successes and failures on the part of the attacker,” says Nart Villeneuve, a senior threat researcher at Trend Micro, which makes antivirus, antispam, and Internet security software. “It’s more of a campaign than it is a single attack.”

Before joining Trend Micro, Villeneuve was heavily involved in tracking attacks on human-rights activists—he was part of the group that revealed a complex hacking operation that spied on figures including the Dalai Lama.

Villeneuve also says it’s hard to identify the real source of this type of attack in order to cut it off. To pinpoint the source of the recent incidents, Google likely looked at a variety of clues, he says. The company could examine the IP addresses used to access e-mail accounts, which can reveal a user’s location. The company could also look at the servers used to host fake log-in pages and collect users’ personal information.

But this alone isn’t enough, Villeneuve says. Attackers can easily take over computers located somewhere else, and use them to launch an attack. “Making your attack seem like it came from somewhere else is not hard,” he says.

So Villeneuve says Google probably looked at many more clues to decide the source of the recent attacks. For example, he says, the company could have looked for patterns in the times that the attacks took place. Villeneuve believes that “from their point of good visibility, they could build up a lot of information.”

Even then, Villeneuve emphasizes, it is extremely difficult to pin responsibility for the attacks on any single entity, organization, or nation.

Bruce Schneier, a prominent computer security expert and chief security officer of the British company BT, agrees. “Attacks don’t come with a return address,” he says. “This is a perennial problem. It’s not a problem of anonymity; it’s a problem of how the Internet works.”

While there’s good reason to suspect Chinese involvement, there’s no way to know for sure, Schneier says. Routing an attack through China would be an excellent way for another interested party to throw investigators off their track, he says. But Schneier adds that the type of attack leveled at Gmail users is happening all the time.

Security researcher Mila Parkour identified and posted samples of some of the fake e-mail messages and fake Web pages used to trick Gmail users into handing over their log-in information. She notes that “the spear phishing method used in this attack is far from new or sophisticated,” but points out that Web mail services offered by Google, Yahoo, and others don’t offer users the same level of protection as many enterprise systems. What’s more, she says, many users forward messages from business accounts to personal accounts, making the personal accounts worth targeting.

Villeneuve says that in some of the Web mail attacks he’s studied, attackers seem to be gathering information about a user’s computer or antivirus software. Since many people check personal e-mail at work, attackers might also be looking to gather information about systems at other locations that they want to target later, Villeneuve believes.

Though Google has gained headlines for coming forward with the recent news, Villeneuve notes that targeted attacks aimed at high-value individuals are “not just a Google problem.” He’s recently identified similar examples aimed at users of Yahoo mail and Hotmail, but he cannot confirm that they are related.

Cut off? Read unlimited articles today.

Become an Insider
Already an Insider? Log in.

Uh oh–you've read all of your free articles for this month.

Insider Premium
$179.95/yr US PRICE

Want more award-winning journalism? Subscribe and become an Insider.
  • Insider Premium {! insider.prices.premium !}*

    {! insider.display.menuOptionsLabel !}

    Our award winning magazine, unlimited access to our story archive, special discounts to MIT Technology Review Events, and exclusive content.

    See details+

    What's Included

    Bimonthly home delivery and unlimited 24/7 access to MIT Technology Review’s website.

    The Download. Our daily newsletter of what's important in technology and innovation.

    Access to the Magazine archive. Over 24,000 articles going back to 1899 at your fingertips.

    Special Discounts to select partner offerings

    Discount to MIT Technology Review events

    Ad-free web experience

    First Look. Exclusive early access to stories.

    Insider Conversations. Listen in as our editors talk to innovators from around the world.

  • Insider Plus {! insider.prices.plus !}* Best Value

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus ad-free web experience, select discounts to partner offerings and MIT Technology Review events

    See details+

    What's Included

    Bimonthly home delivery and unlimited 24/7 access to MIT Technology Review’s website.

    The Download. Our daily newsletter of what's important in technology and innovation.

    Access to the Magazine archive. Over 24,000 articles going back to 1899 at your fingertips.

    Special Discounts to select partner offerings

    Discount to MIT Technology Review events

    Ad-free web experience

  • Insider Basic {! insider.prices.basic !}*

    {! insider.display.menuOptionsLabel !}

    Six issues of our award winning magazine and daily delivery of The Download, our newsletter of what’s important in technology and innovation.

    See details+

    What's Included

    Bimonthly home delivery and unlimited 24/7 access to MIT Technology Review’s website.

    The Download. Our daily newsletter of what's important in technology and innovation.

/
You've read all of your free articles this month. This is your last free article this month. You've read of free articles this month. or  for unlimited online access.