Today brings news that the spammers that were using McColo Corp have retaken their botnet and are back in business of blasting out spam. As a tangent, we read Google’s response to the rise in pwned Gmail accounts.
From Google Online Security Blog:
We’ve seen some speculation recently about a purported security vulnerability in Gmail and the theft of several website owners’ domains by unauthorized third parties. At Google we’re committed to providing secure products, and we mounted an immediate investigation. Our results indicate no evidence of a Gmail vulnerability.
With help from affected users, we determined that the cause was a phishing scheme, a common method used by malicious actors to trick people into sharing their sensitive information. Attackers sent customized e-mails encouraging web domain owners to visit fraudulent websites such as “google-hosts.com” that they set up purely to harvest usernames and passwords. These fake sites had no affiliation with Google, and the ones we’ve seen are now offline. Once attackers gained the user credentials, they were free to modify the affected accounts as they desired. In this case, the attacker set up mail filters specifically designed to forward messages from web domain providers.
The thought by some folks was that this was due to a CSRF bug that was discovered in Sept 2007. According to Google this problem was addressed within 24 hours of the initial discovery.
Today I received an email from someone I know who had their Gmail account pinched by ne’er do wells. They were nice enough to blast out spam with his/her entire address book in the “To:” field.
Decidedly uncool.
What does this accomplish? Does this make the spammer money? Of course not. Does it piss off people that would like nothing better than to hunt the little peckerwoods down? You bet.
The long and the short of it is that we all need to take precautions when using any webmail account. Google offers this advice on how to help better protect oneself using HTTPS with Gmail. Is it bulletproof? No. But, it’s better than getting your password snarfed.