Gmail hack from China has lessons for everyone and there’s one simple thing you can do to protect yourself.
The latest attack on Gmail accounts could happen to anyone with any online email account – here’s how to avoid being hacked with one simple trick that will save you from any phishing attempt.
Today’s news has some details of a Google Gmail hack on officials and journalists from a group in China. Despite Google being named, the attack could have happened to anyone with an online mail service, Hotmail, Yahoo or Gmail. It’s wasn’t a failure of Google’s servers instead people were tricked into giving their login and password to hackers.
We’ll explain what happened and the simple things to avoid being similarly hacked.
The hackers weren’t trying to use the accounts to send spam (the usual reason for hacking). Instead they gained access to Gmail to read the existing emails (in and out) and read new messages for as long as they aren’t detected.
The people targeted were US and South Korean government officials, which is why these events have been getting so much attention. In the past, Chinese hackers have gained access to journalists accounts see Cloud storage is a hackers dream come true.
The individuals targeted were sent phishing messages. These weren’t the usual short, poorly written and broadly targeted messages (easily detected by spam filters or most people) and pretending to come from some well-known site like a bank, online service or news organization. See CNN based phishing missed by Outlook as an example:
The message seems legitimate but the real link (as shown in the tooltip) isn’t to the web site you expect, instead it goes to some other place. You go to a page that looks legitimate and tricks you to entering your login and password.
These messages were more personalized to the individuals and apparently pretended to come from Google’s Gmail service. The phishing link took the unwary people to what appeared to be a Gmail login, they entered their details which the hackers used to access their account.
What can I do?
You’re probably not a ‘person of interest’ to the Chinese or other governments, but that doesn’t mean you’re immune.
Avoiding Gmail isn’t any help – this attack could (and has) happened to Yahoo and Hotmail users. Email accounts are the usual target but it’s only a matter of time before online document storage (Google Docs, Office Web Apps etc) is hacked.
Hacking is moving beyond the broad approach of sending out millions of phishing emails hoping a few people will get caught. In the future, we’re likely to see more targeted hacks with phishing emails sent to individuals or small groups of people These focused phishing messages are harder for software and humans to detect but there’s some simple things you can do.
Gmail will tell you when you last logged into your account and if anyone is logged into your account at the same time. For example:
” This account is open in 2 other locations. Last account activity: 1.5 hours ago on this computer. “
There’s a ‘Details’ link which will show the activity on your account, the country and IP address. This information is at the bottom of any Gmail page.
Outlook has a phishing filter since Outlook 2003 Service Pack 2 which catches many, but not all, bogus messages. Outlook 2003 (from SP2 onwards), Outlook 2007 and Outlook 2010 all have phishing detectors supplied and turned on by default in Junk E-mail options.
Any spam and phishing protection is only good if it’s updated regularly to cope with new types of messages. That can be done automatically with Microsoft Update. Office-Watch.com has long noted problems arising from faulty patches from Microsoft that are pushed to customers. While we are wary of patches generally, the ‘Definition Updates’ should be installed without delay. The same applies to anti-virus programs like Microsoft Security Essentials. These days most people should get these updates automatically. Sadly Microsoft doesn’t make it easy to tell which updates you have installed. Do you have the latest Junk Email filter?
Software detection can only go so far, new types of hacker messages and personally targeted messages are hard for automated systems to detect.
It’s up to each of us, carbon based bipeds, to be our own last line of defense.
If you get a message from your bank, email service etc telling you to click on link for more details – be cautious. The message might be legitimate or not.
Carefully check the real link in the message – not the one you can see but the underlying link that’s only shown when you hover your mouse over the link (see the ‘CNN’ example above). Often a bogus link is worded to include the name of the spoofed site (‘ebay’ ‘WaMu’ ‘Google’ etc) so make sure the domain name itself is correct.
Make sure the site has a valid certificate (ie the ‘lock’ icon shows in your browser) and that the certificate matches the site you intend.
Ignore the link
Better still, if you think the message is real, ignore any and all links in the email message itself. Go to the web site using your usual browser favorites or type in the url yourself.
For example, if you get a message from Gmail saying there’s a problem and asking you a click a link – don’t click! Go to your browser and type in ‘Gmail.com’ yourself then login as usual. If there really is a problem you should see a web page or message on the real web site.
Same applies for other messages. If I get a message from, say, Citibank I’ll login to online banking at Citibank.com myself, not using any link in the email itself.
Of course, this precaution is only necessary for sites that require login.
Our Office-Watch.com ebook – Privacy and Security in Microsoft Office has a lot of practical help in securing your documents and emails. Getting a FREE digital certificate and using it to sign and encrypt emails is covered in step-by-step detail.
- Clever twist on the stranded traveler scam
- Cloud storage is a hackers dream come true
- Do you have the latest Junk Email filter?
- More CNN based phishing missed by Outlook
- Office 2003 anti-phishing feature