Pierluigi Paganini June 15, 2013

Google revealed that tens of thousands of Gmail accounts belonging to Iranian users have been targeted by state-sponsored attacks.

The Google company announced that tens of thousands of Gmail accounts of Iranian users have been targeted hacked. The attacks seem to be organized by a group of state sponsored hackers few days before presidential elections.

The eleventh election for President of the Republic of Iran are held in June, 2013, with a first round on Friday, 14 June,  with a possible runoff  on June 21th.

Google this week warned of increased phishing activity, during the last days the company declared to have detected various suspicious activities, following a portion of the bulletin:

“For almost three weeks, we have detected and disrupted multiple email-based phishing campaigns aimed at compromising the accounts owned by tens of thousands of Iranian users. These campaigns, which originate from within Iran, represent a significant jump in the overall volume of phishing activity in the region. The timing and targeting of the campaigns suggest that the attacks are politically motivated in connection with the Iranian presidential election on Friday.” declared Eric Grosse Vice President of Security Engineering.

The phishing attacks try to deceive users with emails which appear official, they highjack victims to websites that ask to the victims to reveal data including usernames, passwords, and credit card details.

Just one year ago Google announced a service to provide specific protection for a restrict number of users that could be target for a state-sponsored attack. Every user potentially at risk was advised with a message like the one proposed in the following picture:

Of course the message is just an alert and it must be clear that it doesn’t give the certainty that account has been hacked, it’s a communication to inform the user that its account could be victims of a phishing campaign, of an APT attack or of a malware. The purpose of the initiative is to mitigate or prevent potential damage caused by the attack.

That Google alert remarked

“It’s important to note that Google’s internal systems are not compromised and that this message does not refer to one specific campaign,” the page read. “We routinely receive abuse reports from users, as well as from our internal systems that monitor for suspicious login attempts and other activity.”

Google hasn’t identified the attackers that seem to be the same group behind a Gmail hacking campaign in 2011, in that occasion hackers used for MITM attacks fraudulent digital certificates.

The advisory provided also some suggestion to the Iranian users to protect their Gmail accounts activating 2FA process of authentication provided by the company and verifying the URL visited.

“if you are in Iran, we encourage you to take extra steps to protect your account,” continued Eric Grosse.

Iranian Government is considered one of the most intrusive, the regime applies a strict censorship and its surveillance apparatus is considered one of the most advanced. Early 2012 the government blocked VPN access meanwhile Google services were blocked in October.

Following a few suggestions I proposed in my previous post:

• To enable 2-step verification as additional security.
• To maintain systems and application updated (e.g. Browser).
• To check if your Gmail messages are being forwarded without user’s permission

Pierluigi Paganini

(Security Affairs – Iran, Gmail accounts)