As reported today in the New York Times, Google has acknowledged the discovery of a scheme to steal Gmail passwords and eavesdrop on the affected email accounts. (You can read more information on this from Google’s blog here)
This scheme targeted specific government and military individuals as well as journalists and activists with targeted spear-phishing techniques to lure the target into entering their Gmail passwords. The interesting component is that the attackers apparently used this information to forward all email traffic from the affected accounts, essentially allowing the attacker full access to all of the target’s conversations. This type of behavior has been termed the “man-in-the-mailbox” (kudos to the blogosphere on the name). Of course, the attackers can then use that information to craft even more targeted spear-phishing emails to anyone that the target account communicates with.
There is a very simple but important point here. The days of the obvious phishing campaign are over. When an attacker knows exactly whom you talk to and what things you talk about, social engineering becomes infinitely easier and far more likely to succeed. Hoping to educate users enough to avoid this problem is simply a losing proposition. As enterprises we need to prepare for and assume that our users will be compromised and commit to the centralized controls needed to limit our exposure. This means protecting all users from things like drive-by downloads, strong segmentation of users and systems so that a single exposure can’t spread through the enterprise as well as leveraging new technologies such as our behavioral botnet detection to find users that may be compromised by unknown threats. It also provides even more credence to the notion of the zero trust architecture that we covered last week. You can read it here if you missed it the first time.