Phishing hacks e-mail users, not e-mail services

I’ve seen one too many “Gmail hacked” headlines this morning. Yes, Chinese hackers were able to access “hundreds of Gmail accounts, including some belonging to senior U.S. government officials and military personnel,” as the Post’s story puts it (without using the phrase “Gmail hack”).

But those con artists in China did not break into these accounts by exploiting a vulnerability in Google’s systems, the basic definition of a “hack.” They exploited one in the minds of those Gmail users–by fooling them into entering their passwords on a fake Gmail login page. The spear-phishing e-mails sent to these victims encouraged them to click on a link to view an attached file; those links opened a page in their browser that, in at least some older versions of Internet Explorer, appeared to have a valid address.

You can criticize Google for not flagging these messages as phishing, something Gmail tries to do automatically. But without affirmative action by the targeted users–typing a password into the wrong page–these attacks would fail. That’s the point I tried to make on Twitter this morning:

Another former tech columnist, BusinessWeek alumnus Steve Wildstrom, replied by noting that even if the Chinese hackers had targeted software on the victims’ computers, it still would not have represented an attack on Gmail’s own servers:

And yet a lot of stories have ran with the concise, too-convenient “Gmail hacked” or “Google hacked” phrasing. I know that’s eye-catching–especially compared to the lengthy throat-clearing of Google’s bland blog post yesterday–and fits neatly into the ongoing Google-against-China, spy-vs.-spy storyline. But it’s also inaccurate and, by suggesting that mistakes were made where they were not, unhelpful to users trying to stay safe.

Phishing attacks aren’t always obvious. But one thing holds true about all of them: You own your own keystrokes.

(Disclosures: I used “Gmail hacked” as one of the tags for this post. I’ve also been a speaker at Google events, including a panel discussion in January 2010 and an all-day conference next Thursday.)

Edits, 1:01 p.m. Fixed one incorrect link and replaced another with a more useful address.

4 thoughts on “Phishing hacks e-mail users, not e-mail services

  1. I agree that the user is responsible, but so is Google.

    They could use tools that enhance security with little inconvenience. e.g. the secret image authenticating the site to you that banks use. Facebook could show you old profile pics of you. (A hacker who was devoted could do the latter, but that’s not what most of these attacks are.)

    Twitter was completely irresponsible in the early days encouraging people to give their credentials to third-party sites for API access. (That’s changed with oAuth.)

  2. Thanks for writing what I was thinking when I read the story, Rob. The people who’s accounts were hacked either gave private information to a scammer, or one of their employees did. This isn’t Google’s issue, this is a user issue. There’s no reason this same situation can’t happen to the same users if they’re using Verizon, Cox or Comcast. The lesson is don’t send private info over email.

  3. WWDC? I immediately thought of the radio station by those call letters in the DC metro area. It used to be on Brookville Road in Silver Spring. Years ago, it was an AM station. Now it appears to be DC101. Incredible!

  4. Catching up on my blog reading. Good to see Steve Wildstrom from the Twittersphere. BusinessWeek (now Bloomberg BusinessWeek) is one more publication which has not been the same since its tech columnist’s departure. Their “Tech and You” column has contained the same lame story about “significant” smartphone apps for the past several months.

    I HAVE actually had a Yahoo! Mail account hacked by some Russian fake pharmaceutical company. Several people on my contacts list said they received the spams from what appeared to be me. And I am VERY careful about phishing-type stuff, as well as having several security layers on all my home and work PCs. (They were all clean when I ran the diagnostics.) I was and continue to be very annoyed that Yahoo, unlike other Webmail providers, does not allow one to make a contact entry such as JohnSmith-at-yahoo-dot-com. There has to be an actual @ sign and an actual period before the com, or Yahoo won’t accept it as a valid contact.

What do you think?

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.