I’ve seen one too many “Gmail hacked” headlines this morning. Yes, Chinese hackers were able to access “hundreds of Gmail accounts, including some belonging to senior U.S. government officials and military personnel,” as the Post’s story puts it (without using the phrase “Gmail hack”).
But those con artists in China did not break into these accounts by exploiting a vulnerability in Google’s systems, the basic definition of a “hack.” They exploited one in the minds of those Gmail users–by fooling them into entering their passwords on a fake Gmail login page. The spear-phishing e-mails sent to these victims encouraged them to click on a link to view an attached file; those links opened a page in their browser that, in at least some older versions of Internet Explorer, appeared to have a valid google.com address.
You can criticize Google for not flagging these messages as phishing, something Gmail tries to do automatically. But without affirmative action by the targeted users–typing a password into the wrong page–these attacks would fail. That’s the point I tried to make on Twitter this morning:
Another former tech columnist, BusinessWeek alumnus Steve Wildstrom, replied by noting that even if the Chinese hackers had targeted software on the victims’ computers, it still would not have represented an attack on Gmail’s own servers:
And yet a lot of stories have ran with the concise, too-convenient “Gmail hacked” or “Google hacked” phrasing. I know that’s eye-catching–especially compared to the lengthy throat-clearing of Google’s bland blog post yesterday–and fits neatly into the ongoing Google-against-China, spy-vs.-spy storyline. But it’s also inaccurate and, by suggesting that mistakes were made where they were not, unhelpful to users trying to stay safe.
Phishing attacks aren’t always obvious. But one thing holds true about all of them: You own your own keystrokes.
Edits, 1:01 p.m. Fixed one incorrect link and replaced another with a more useful address.