Google posted information today about an attack against some Gmail account holders.

In this case the attack appeared to be directed at government officials in the US and Korea, as well as Chinese political activists, journalists and military personnel. If you don’t fit in these categories it doesn’t mean you are not at risk, it just means these specific attackers were not after your Gmail account. If you don’t have a Gmail account, it doesn’t matter, cybercriminals are after all kinds of accounts and the fundamentals are the same. The difference is that unlike many free email providers and some ISPs like Comcast, Gmail defaults to secured communications where Yahoo doesn’t give you an option and Comcast won’t tell you how it’s done.

The basic plan of attack is phishing and malware. There are tactics you can use to prevent attackers from phishing you and installing malware on your computer and none of the tactics involve believing that any antivirus product in the world can protect you from everything.

To start with you need to have a strong password. We have talked about passwords a few times before. Paul quite recently posted here and David’s older post even lists other blogs and articles, and here I even include a link to some of the worst passwords people use.

Once you have chosen your password, make sure you only use it in one place and don’t forget to protect against password reset attacks.

To prevent yourself from becoming a phishing victim, I recommend you follow my two simple rules.

1) If someone asks you for your password assume they are a thief or an idiot. This means that if you get an email claiming that there is a problem with your email account and your password is needed or the account will be disabled, it was a thief sending the email, not the organization you think sent it. Do not give your password.

I know some IT people might get a bit bent out of shape over this rule because on rare occasions they may actually have a reasonable need for your password, but the exception is very rare and the IT person needs to evaluate whether asking an employee for their password is really the smartest thing to do. You don’t want to train people to make mistakes.

2) If you click on a link and it leads to a log in page, close the browser.
In the case of some of the Gmail attacks the victims clicked on a link in an email and it lead them to a fake Gmail login page. Don’t fall for this trick. It is very easy for the bad guys to send an email that appears to be legitimate and appears to come from a known source. Everything about email can be spoofed. Facebook LinkedIn and most social networking sites are huge offenders when it comes to training people to make critical mistakes. Never, ever log into your account if you clicked on a link in a Facebook email or other social networking message. This also applies to links in instant messages and text messages. Always type in the name of the site and log in there. If the message is legitimate it will be in your social networking account email. You can find what you are looking for without doing the one thing that makes phishing work… giving up your credentials at a fake site. You may think you know that the email is legitimate, but that is what the criminals count on and will fool you with.

The Google blog has some good security information in addition to the marketing. Google claims that Chrome’s sandboxing enhances security, but I have never seen them show any scientific testing to validate the claim. I’m not saying the sandboxing doesn’t help, and in theory it should help if you use a different tab for every web site, but it would be nice to see proof that their claims are more than hype.

You really don’t have to be a government official, or high profile at all for some criminal to want to steal your account. You really do need to take appropriate precautions.

Randy Abrams
Director of Technical Education
Cyber Threat Analysis Center
ESET North America