See this update: Aug 11 Targeted attacks against personal Gmail accounts Part II - CNAS Report
General threat Information
The spear phishing method used in this attack is far from being new or sophisticated. However, I am posting the following information due to the particularly invasive approach of the attack. Google, Yahoo, and other personal mail services do not offer the same protection against spoofing and malware as enterprise accounts. In addition, it is often being checked at home in a relaxed atmosphere, which helps to catch the victim off guard, especially if it appears to arrive from a frequent contact. Some people have a habit of forwarding messages from enterprise accounts to their personal mail for saving or easy reading at home, which may potentially offer some sensitive information.
File - ServiceLoginAuthen.htm (not malware, file from a phishing site)
from visiting hxxp://google-mail.dyndns.org/accounts/ServiceLoginservice=mail&passive=true&rm=false&continue=bsv=1grm8snv3&ss=1&scc=1<mpl=default<mplcache=2/ServiceLoginAuth.php?u=VictimGmailID
Domain:
google-mail.dyndns.org in this example but there are many others in use
Type:
View Download link in Gmail masquerading as a link to view or download an attachment. The message comes without any attachments.
Distribution:
Email link, targeted phishing message sent to Gmail account of a person associated with military or political affairs. Links are customized and individualized for each target.
Target recipients:
Government and non government employees working on questions of defense, political affairs, national security, defense/military personnel, etc
Attack approach:
Victims get a message from an address of a close associate or a collaborating organization/agency, which is spoofed. The message is crafted to appear like it has an attachment with links like View Download and a name of the supposed attachment. The link leads to a fake Gmail login page for harvesting credentials.
Once the attackers gets the credentials, they login to the victims gmail account and may do the following
- Create rules to forward all incoming mail to another account. The third party account ID is made to closely resemble the victims ID
- Read mail and gather information about the closest associates and family/friends, especially about frequent correspondents.
- Use the harvested information for making future mailings more plausible. Some messages are empty while others may have references to family members and friends (e.g. mention names of spouses or refer to recent meetings) and plausible enough to generate responses or conversations from victims. We are not posting those examples due to personal nature.
- Send such emails on monthly or biweekly basis . The messages are different like you see below but all have have the same link and designed for updating the victim credential information they already have.
