June 02, 2011, 10:50 AM — The big headline regarding the Google Gmail phishing hacks is that they emanated from China and targeted, among others, senior U.S. government officials, military personnel and Chinese human rights activists.
Inarguably not good, especially if the phishers were working on behalf of the Chinese government, though Beijing officials have strongly denied any role.
What should be especially disturbing to anyone concerned with online security, however, is that this "spear phishing" operation went on for more than a year. Which means some victims unknowingly could have had their emails forwarded and monitored the entire time.
You'd think that at some point, say, more than a year ago, Google would have been notified about the coordinated phishing attacks by some suspecting victim and publicized it. Yet we're just learning about it this week.
I take that back. We're learning about it just this week from Google. Security researcher Mila Parkour wrote about the hacking campaign in her Contagio blog on Feb. 17.
Parkour described the Gmail breach as "persistent and bold," and one can assume she made sure Google knew about the security breach back when she discovered it nearly four months ago.
Yet in an incredibly self-serving blog post announcing the breach on Wednesday, Google's security team essentially takes full credit for exposing the Gmail hacks in what it pretends is a timely fashion:
Through the strength of our cloud-based security and abuse detection systems*, we recently uncovered a campaign to collect user passwords, likely through phishing. This campaign, which appears to originate from Jinan, China, affected what seem to be the personal Gmail accounts of hundreds of users including, among others, senior U.S. government officials, Chinese political activists, officials in several Asian countries (predominantly South Korea), military personnel and journalists. ...
Google detected and has disrupted this campaign to take users’ passwords and monitor their emails. We have notified victims and secured their accounts. In addition, we have notified relevant government authorities.
You saved us again, Google! How can we ever repay you?
By the way, that barely noticeable asterisk in the first quoted sentence of Google's blog post is as far as the search giant goes toward crediting Parkour for uncovering the Gmail breach. It leads to a sentence at the bottom of the post that reads: "We also relied on user reports and this external report to uncover the campaign described."
Way to spread the love, Google.