2 June 2011
Last updated at 04:20 ET
By Maggie Shiels
Technology reporter, BBC News, Silicon Valley
The targeted attack used by hackers to compromise e-mail accounts of top US officials is reaching 'epidemic' proportions, say security experts.
The scam, known as spear phishing, was used in a bid to get passwords of Gmail accounts so they could be monitored.
Via a small number of customised messages it tries to trick people into visiting a web page that looks genuine so users type in login names.
Such attacks are often aimed at top officials or chief executives.
Such attacks are not new, say security professionals, but they are becoming more commonplace.
"What is happening more and more is the targeting of a couple of high value individuals with the one goal of acquiring valuable information and valuable data," said Dan Kaminsky, chief scientist at security firm DKH.
"The most interesting information is concentrated in the accounts of a few people," he said. "Attackers using information to impersonate the users is at epidemic proportions and why computer security is in the state it is in."
In March, security firm RSA was hit by a sophisticated spear-phishing attack that succeeded despite only two attacking e-mails being sent. The phishing e-mail had the subject line "2011 Recruitment Plan" and contained a booby-trapped spreadsheet.
Total access
Google said it uncovered the deception through a combination of cloud based security measures, abuse detections systems and user reports. It also cited work done by a website called contagio dump.
The founder of the site is technologist and researcher Mila Parkour who said the method used in this attack was "far from being new or sophisticated".
She told the BBC she was first alerted to the problem by one individual back in February. She would not reveal their name or position.
Google said that among those targeted were senior US government officials, military personnel, journalists, Chinese political activists and officials in several Asian countries, predominately South Korea.
"Someone shared the incident with me," she said. "I did a mini research and analysis and posted the findings as I heard it happened to other people in the military and US government. I just wanted them to be aware and be safe."
Ms Parkour said attackers got access to the entire mailboxes of victims.
"I did not read the contents of the mailbox so not sure if anything extra interesting was there," she said. "I hope not."
Chinese connection
Cyber attacks originating in China have become common in recent years, said Bruce Schneier, chief security technology officer at telecoms firm BT.
"It's not just the Chinese government," he said. "It's independent actors within China who are working with the tacit approval of the government."
China has said repeatedly it does not condone hacking, which remains a popular hobby in the country, with numerous websites offering cheap courses to learn the basics.
In 2010 Google was the victim what it called a "highly sophisticated and targeted attack on our corporate infrastructure originating from China" that it said resulted in the theft of intellectual property.
Last year, US. investigators said there was evidence suggesting a link between the Lanxiang Vocational School in Jinan and the hacking attacks on Google and over 20 other firms. The school denied the report.
This time Google is stressing that the security of its products was never compromised and that it was users who were scammed into unwittingly giving away their passwords.
"It's important to stress that our internal systems have not been affected - these account hijackings were not the result of a security problem with Gmail itself," said Eric Grosse, engineering director of the company's security team.
"But we believe that being open about these security issues helps users better protect their information online."
The White House has said it is investigating the issue.
Easy access
Security experts said spear phishing attacks were easy to perpetrate because of the amount of information people put on the internet about themselves on social networking sites such as Facebook and Twitter.
The mountain of data lets canny hackers piece together enough information to make e-mails they concoct appear convincing and genuine.
In this attack, some Gmail users received a message that looked like it came from a work colleague or was linked to a work project.
On Ms Parkour's site, she shows some of the spoof e-mails indicating how easy it was for people to be hoodwinked.
"It makes sense these bad guys would go that way given the amount of time, effort and investment they have to make in orchestrating an attack," said Dr Hugh Thompson, chief security strategist at People Security who also teaches at Columbia University.
People tend to trust messages that look like they come from people bearing details of where they last met or what they did, he said.
"I can then point you to a site that looks very much like Gmail and you are not going to question that because I already have your trust," he said.
While security experts criticised user behaviour, some also said the combination of login and passwords was at fault too.
"Passwords don't work as an authentication technology," said Mr Kaminsky.
"They are too flexible, too transferable and too easy to steal," he said. "However, we are stuck with them for now due to technical limitations and because users find them easy to use."
Are you affected by any of the issues raised in this story? Send us your comments and experiences using the form below.