Russian Hackers Are Using Google's Own Infrastructure to Hack Gmail Users

[Batu69]

Security researchers have exposed a sophisticated hacking and disinformation campaign that targeted more than 200 Gmail users.

Russian government hackers seem to have figured out that sometimes the best way to hack into people's Gmail accounts is be to abuse Google's own services.

On Thursday, researchers exposed a massive Russian espionage and disinformation campaign using emails designed to trick users into giving up their passwords, a technique that's known as phishing.

 

The hackers targeted more than 200 victims, including, among others, journalists and activists critical of the Russian government, as well as people affiliated with the Ukrainian military, and high-ranking officials in energy companies around the world, according to a new report.

 

Researchers at the Citizen Lab, a digital rights research group at the University of Toronto's Munk School of Global Affairs, were able to identify all these victims following clues left in two phishing emails sent to David Satter, an American journalist and academic who's written Soviet and modern Russia, and who has been banned from the country in 2014.

 

On October 7, Satter received a phishing email designed to look like it was coming from Google, claiming someone had stolen his password and that he should change it right away.

 

As with seen with other phishing attacks targeting people affiliated with the Hillary Clinton campaign that led to the DNC leaks of last year, the email, however, didn't come from Google. It was actually from a group of hackers known as Fancy Bear, or APT28, whom many believe work for Russia's military intelligence, the GRU.

 

 

A screenshot of the phishing email received

The "Change Password" button linked to a short URL from the Tiny.cc link shortener service, a Bitly competitor. But the hackers cleverly disguised it as a legitimate link by using Google's Accelerated Mobile Pages, or AMP. This is a service hosted by the internet giant that was originally designed to speed up web pages on mobile, especially for publishers. In practice, it works by creating a copy of a website's page on Google's servers, but it also acts as an open redirect.

 

 

According to Citizen Lab researchers, the hackers used Google AMP to trick the targets into thinking the email really came from Google.

 

"It's a percentage game, you may not get every person you phish but you'll get a percentage," John Scott-Railton, a senior researcher at Citizen Lab, told Motherboard.

 

 

So if the victim had quickly hovered over the button to inspect the link, they would have seen a URL that starts with google.com/amp, which seems safe, and it's followed by a Tiny.cc URL, which the user might not have noticed. (For example: https://www.google[.]com/amp/tiny.cc/63q6iy)

 

Using Google's own redirect service was also perhaps also a way to get the phishing email past Gmail's automated filters against spam and malicious messages.

"It's a percentage game, you may not get every person you phish but you'll get a percentage."

 

According to Citizen Lab, who doesn't directly point the finger at Fancy Bear, the email was actually sent by annaablony[@]mail.com. That address was used in 2015 by Fancy Bear to register a domain, according to security firm ThreatConnect. And another domain used in the October attacks exposed by Citizen Lab was also previously linked to Fancy Bear, according to SecureWorks, which tracked the phishing campaign against the DNC and the Clinton campaign.

 

 

Curiously, the email targeting Satter came just a few days before Google warned some Russian journalists and activists that "government-backed attackers" were trying to hack them using malicious Tiny.cc links.

 

 

A screenshot of a phishing email received

Now we know that in October of 2016, when the hackers targeted Satter and at least 200 other people, the trick of using Google AMP was working, and Google hadn't blocked it. Google has previously dismissed concerns about open redirectors, arguing that "a small number of properly monitored redirectors offers fairly clear benefits and poses very little practical risk."

 

 

On Thursday, a company spokesperson said that this is a known issue and last year some Google AMP URLs started showing a warning if the company's systems are uncertain whether the link is safe to visit, such as this.

 

 

But for some security researchers, they are dangerous.

 

 

"The AMP service's behavior as an open redirect for desktop browsers was clearly abused in this situation and is also just trivial to abuse in general," Nicholas Weaver, a senior researcher at the International Computer Science Institute at UC Berkeley, told Motherboard in an email. "There is undoubtedly some engineering tradeoff I'm not seeing that causes them to maintain it."

 

 

Google's redirectors might not be the only part of Google's infrastructure that Fancy Bear hackers have been taking advantage of. Citizen Lab researchers found a Tiny.cc URL that targeted an email address—myprimaryreger[@]gmail.com—that other security researchers suspect was used by Fancy Bear to test their own attacks.

 

 

A screenshot of the Google Plus page of "myprimaryreger[@]gmail.com," an account researchers believe was controlled

That address had a Google Plus page filled with images that appear in real, legitimate Gmail security alerts. It's unclear what the hackers used these for, or if they used them at all. But the researchers said that perhaps the hackers were embedding them in phishing emails, and the fact that they were hosted on Google Plus perhaps helped thwart Gmail's security controls.

 

 

The Fancy Bear hackers are known to use popular services like URL shorteners in their high-profile hacking operations. And, sometimes, those URL shorteners betray them and end up revealing who they targeted.

 

 

Between March 2015 and May 2016, as part of their operation to hack Clinton's campaign chairman John Podesta, and former National Security Advisor Colin Powell, the hackers targeted more than 6,000 people with more than 19,000 phishing links. Some of those used Bitly URLs that, as it turned out, could be decoded to figure out who they were intended to.

 

 

An analysis of the Bitly link used to phish John Podesta

Similarly, in this case Citizen Lab researchers were able to identify the victims by figuring out that there was a pattern behind how Tiny.cc creates short URLs. That pattern, as research fellow Adam Hulcoop explained to me, "was chronological." So, starting from the links sent to Satter, the researchers were able to guess other links created around the same time.

 

 

It's impossible to know why the hackers keep relying on services like Bitly or Tiny.cc, which end up exposing some of their operations—although months later. One explanation could be that their phishing campaigns are highly automated, given that they target thousands of people. So, as Hulcoop put it, they need a modular phishing infrastructure where every element can be modified if needed, as "an insurance policy of sorts" and they use third party services "to try and balance the need for OpSec [operational security, or the practice of keeping operations secret] with the ability to operate at scale."

 

 

"The construction of the Tiny.cc shortcodes pointing to TinyURL shortcodes, which ultimately point to phishing sites on different servers. This modularity is likely by design so that the operator can change up the individual components, servers, redirectors, etc., and only abandon the pieces that are burned," he said in an online chat. "The more layers you have, the more flexible you can be."

 

Article source

[sternog]

Podesta`s emails released by WikiLeaks were proved to be authentic because they were signed via DKIM (RSA-2048). So why do you claim there is/was some "disinformation"? Fake news propaganda. DNC emails were also confirmed, because people in the DNC got fired. The rest of narrative promoted in the western press are just baseless assumptions without any proof. The FBI investigators were never allowed to inspect DNC servers.

Cyber Firm Behind “Russian Hacking” Claims Has Ties To Soros-Supported Think Tank

http://disobedientmedia.com/2017/04/cyber-firm-behind-russian-hacking-claims-has-ties-to-soros-supported-think-tank/

Guccifer 2.0: Falseflag:

http://g-2.space/falseflag.html

The CIA’s Absence of Conviction

https://www.craigmurray.org.uk/archives/2016/12/cias-absence-conviction/

Kim Dotcom Issues Statement on Seth Rich’s Involvement in Wikileaks

https://medium.com/@Cernovich/kim-dotcom-issues-statement-on-seth-richs-involvement-in-wikileaks-6f55042bbe5e

Julian Assange: Our source is not the Russian government

http://www.foxnews.com/transcript/2017/01/03/julian-assange-our-source-is-not-russian-government.html

CIA`s intelligence is politicized, and fake WMDs in Iraq which got hundreds of thousands of Iraqi people killed prove this fact (Saddam wasn`t involved in 9/11 either).

[dMog]

the point is sternog...not that what Podesta and the Democrats was and were doing was wrong...that is a given...the point is Russia used hacking as a weapon to hurt an Ideological adversary ... It does not make it right under any circumstances... i am sure you would feel different if it was the USA government doing it to Putin...not that thy are not already doing that but Russia is once again a country with any semblance of a free press anymore ...so Bad News about  the powers that be  or  that governments dirty dealings do not really get disseminated very well... people who publish that stuff or talk about it tend to die

[sternog]

Well, look who`s so innocent:

Senator Thom Tillis: There have been 81 US interventions in other countries' elections, not counting coups and military interventions

https://www.c-span.org/video/?c4642712/senator-thom-tillis-81-us-interventions-elections

The U.S. is no stranger to interfering in the elections of other countries

http://www.latimes.com/nation/la-na-us-intervention-foreign-elections-20161213-story.html

When America Interfered in a Russian Election

https://blackagendareport.com/us_fixed_russian_election_1996

Robert Gates:
"Look, I think this is a guy who saw the U.S. basically come out against him in his reelection campaign in 2012. He saw the U.S. being behind all of the color revolutions in Eastern Europe and in Georgia and Ukraine and so on. So his view is the West has been interfering in his politics for years".
http://www.cbsnews.com/news/transcript-face-the-nation-interview-with-former-defense-secretary-robert-gates-may-14-2017/

[46&2]

if it was the USA government doing it to Putin

lmfao the US has its cock up everyones ass, including their own citizens. Im not saying other countries are any better or any worse, just saying!
If I had my way 1 politician would be publicly executed everyday until things got better, much better. Hey but thats just me.

[dMog]

24 minutes ago, 46&2 said:

lmfao the US has its cock up everyones ass, including their own citizens. Im not saying other countries are any better or any worse, just saying!
If I had my way 1 politician would be publicly executed everyday until things got better, much better. Hey but thats just me.

agree...does anyone not see that they are the pot calling the kettle black is my point here....some here tend to only point to one country as doing wrong and then claim their country is the ONLY  country that is legitimately wearing virgin white and then get really upset if anyone says different and accuse others of propaganda posts and deny they did any such thing or even come close to wrongdoing

[sternog]

I said that "disinformation" claim is propaganda, if related to Podesta`s emails, unless you don`t realize that it`s hardly doable to break RSA-2048 to forge content of Podesta`s emails.

[virge]

setting up two factor authentication will stop all that.

[Israeli_Eagle]

5 hours ago, virge said:

setting up two factor authentication will stop all that.

 

Simply NOT use it as browser, that is only WebMail!!!!!!!!!!

Using as SMTP/POP3 and a real mailer are still safe.

[straycat19]

8 hours ago, sternog said:

Podesta`s emails released by WikiLeaks were proved to be authentic because they were signed via DKIM (RSA-2048). So why do you claim there is/was some "disinformation"? Fake news propaganda. DNC emails were also confirmed, because people in the DNC got fired. The rest of narrative promoted in the western press are just baseless assumptions without any proof. The FBI investigators were never allowed to inspect DNC servers.

 

 

Russia didn't hack the DNC email servers, the emails were sent to Wikileaks by a DNC Staffer.  This has been reported in the US press and even Julian Assange gave up the source because he had been murdered in DC after the release.

http://www.foxnews.com/politics/2016/08/10/assange-implies-murdered-dnc-staffer-was-wikileaks-source.html

https://www.thenewamerican.com/usnews/crime/item/26101-more-evidence-points-to-murdered-dnc-staffer-as-wikileaks-source

http://nation.foxnews.com/2017/05/16/slain-dnc-staffer-had-contact-wikileaks-say-multiple-sources

 

It has become too easy for everyone to blame Russia, and not even taking the time to really investigate incidents.  The democrats are reverting to McCarthyism in seeing a Russian behind every tree and a collusion by every one of their political foes.

 

[Jogs]

US couldn't win the last FIFA World Cup, the players shoes were hacked by the Russians.

[pc71520]

N.S.A., F.B.I. etc. spy on the U.S. citizens

while

Russians, Chinese etc. can do whatever they want inside the U.S. Networks.

[DKT27]

It's sad that the common citizens from both the sides are indirectly getting effected by this cyber-battle going on. With everyone taking sides and trying to one-up each other whereas the truth is, everyone is guilty some way or the other here.

[steven36]

I have no pity for  people who is dumb enough to store emails on Google ,  Wake up people Yahoo , Google and others have been hacked  over and over!  Face reality if you are sharing something you dont want others too read best too  not  use these services. If it weren't the Russians  , Google sure can read you're emails  and the NSA , CIA or FBI sure could get you're info with one court order

 

I've not signed into no Google services since 2011 .So why are politicians using such vulnerable technology without even encrypting  it with 3rd party tools ? They should be using  private email servers with encryption instead of web mails  or at lest web mails  with hard to break encryption . But if it was leaked by a DNC Staffer none of this would of mattered no way ..Keep in mind most all leaks in the USA were from other politicians , Military  and Contractors  that work for spy agencies..

 

This all goes back to most  people who live in a fantasy world  that think they have privacy  without doing any footwork and using services that got rich from invading you're privacy to began with  come on people Gmail gives ads based on what you be writing about in emails it would take a idiot too think you have any  privacy using Google services with you're real name even back before Google changed  there privacy policy in 2011 I used fake info too make up  email accounts back when I used it . A sucker is born every minute in the name of free .

[tao]

On 5/30/2017 at 6:09 AM, straycat19 said:

... It has become too easy for everyone to blame Russia, and not even taking the time to really investigate incidents....

It has become a game to put blame for all the bad on whosoever we don't like.  < Full Stop > 

 

[Prejudice: an unfavorable opinion or feeling formed beforehand or without knowledge, thought, or reason.]   

[tao]

On 5/30/2017 at 6:17 PM, steven36 said:

I have no pity for  people who is dumb enough ...

Pity the pitiably dumb, then, my friend. 

[Batu69]

Unnecessary contents have been removed. Topic locked for admins review.

If you have any concerns regarding this please contact an administrator from the staff so that we can deal with it appropriately.