Google Uncovers China-Based Password Collection Campaign

D H NG writes "Google announced that it recently uncovered a campaign to collect users' passwords. The campaign, apparently originating from China, affected what seem to be the personal Gmail accounts of hundreds of users including, among others, senior US government officials, Chinese political activists, officials in several Asian countries (predominantly South Korea), military personnel and journalists. Google said it detected and has disrupted this campaign and has notified victims and secured their accounts, as well as notified the relevant government authorities."

Hmm

[Anonymous Coward]

So is this an act of war by china?

Re:Hmm

[nurb432]

Who said it was the Chinese government?

Re:

[KiloByte]

There are no big organizations in China that don't have government approval. In many cases it's just paying officials to look the other way, but it's still with their knowledge.

So what we have here? A large scale undertaking that the Great Firewall would make harder without a permission to bypass, and one the government can use to spy on people. There's no way it's not at least closely tied with them.

Re:Hmm

[Fluffeh]

I think this falls under that lovely "espionage" blanket. You know the "other guys" are doing it, they know that you are doing it. But everyone pretends like it isn't going on and no-one bats an eyelid in public. However, behind closed doors, this sort of action is driving yet another wedge into the relationship - but at the same time also driving more funding into your own budgets for doing a similar thing to the "other guys" yet again.

My guess is that the fallout of this will be that there will be a project launched with some funny nondescript name that tries to get similar intel on the Chinese. They will likely get wind of it, but be unable to do anything about it as there will never be undeniable proof of the point of origin.

This sort of thing went on for decades (and still does) with the US/Russians, the middle east and just about every European country. It just (mainly) never sees the light of day. The Chinese seem to be getting caught more of late though - which can mean that either they are pretty poor at it compared to the rest (dubious) or their program is a whole heck of a lot bigger and more ambitious than the other players in the game - which I think is much much more likely.

Re:

[Luckyo]

There is a far more obvious version of what this means:

West is demonizing China for its population into next cold war opponent, therefore any and all negative news about China in relation to West will be published with reasonably big headlines.
Notably, it's not very different for Chinese either, same seems to be going on on their side as well.

Re:

[infolation]

either they are pretty poor at it compared to the rest (dubious) or their program is a whole heck of a lot bigger and more ambitious than the other players in the game

...or its an intentional act of provocation.

Beijing Bob

[Kamiza Ikioi]

"Blaming these misdeeds on China is unacceptable," Chinese foreign ministry spokesman Hong Lei told a news briefing in Beijing, according to The Telegraph.

"Hacking is an international problem and China is also a victim. The claims of so-called Chinese state support for hacking are completely fictitious and have ulterior motives."

Here is a picture [theodoresworld.net] of the spokesman.

Re:

[johnsnails]

now pretty-please get of my lawn

Re:

[Mashiki]

Wrong. It's only an act of war if liberals will stop whining over civilian casualties.

Feel free to say I'm an evil bastard or whatever. But we changed the RoE based on that above statement. And when we did, we ensured that we'd only fight wars where there was a low to no chance of the enemy having a chance of putting up a decent fight.

Re:

[TapeCutter]

You do realise that the rules of war concerning the protection of civilians were established in the 1800's, right?

Re:

[TapeCutter]

Indeed, but what has that got to do with my point?

Re:

[TapeCutter]

Whooosh! Look at the contex, the GP implied the rules of war were a recent invention of "liberals". I was correcting his erroneous statement, I said nothing about the utility or otherwise of such rules, but since you bring it up I'm in violent agreement with you.

Re:

[Doc Ruby]

"Liberals" (really "not quite evil bastards") have always resisted war on the basis of its inevitable civilian casualties. The US has avoided civilian casualties, even at the cost of missing out on really profitable wars, since the majority of Americans have resisted war's inevitable civilian casualties starting with WWI, but really after WWII: the wars in which many Americans actually saw some civilian casualties.

You, however, have never seen either war or its civilian casualties personally. Before you dem

Re:

[ppanon]

Yep. Alternatively, walking through the streets of Joplin right now would probably give you a minor taste without the danger. Doing the same in Fukushima Prefecture will up the ante a bit without going into a real war zone.

Re:

[Mashiki]

Don't ever assume anything. You'll only make an ass out of yourself.

Re:

[Doc Ruby]

Are you telling me that you've been in a war, directly and personally?

Re:

[rainmouse]

Wrong. It's only an act of war if liberals will stop whining over civilian casualties.

Somehow you manage to make liberal sound like an insult with your "Yehaw, lets high five each other and blow shit up because explosions are fucking cool and screw the collateral casualties"

attitude. Your attitude only further perpetuates this somewhat unfair perception of the typical American. Maybe it bothers me more than it should because a girl from my school, Linda Norgrove was killed by Navy Seals who were apparently attempting to rescue her with grenades (they later lied and claimed it was a suici

Re:

[Issarlk]

why modded down? It's true.

So...

[Anonymous Coward]

...air strikes?

Re:

[creat3d]

No, just a tighter grip on "Anonymous", whoever the fuck that is.

Re:

[The Snowman]

...air strikes?

Attacking China would destroy our economy.

Re:

[Anonymous Coward]

...air strikes?

Attacking China would destroy our economy.

I'd be impressed if it could get much worse that it already is.

excellent PR by Google

[Presto Vivace]

it isn't a data breach, Google has uncovered a campaign to steal passwords. Well done Google.

Re:

[rritterson]

Well, if it is a phishing scheme like google believes, it's not quite the same thing as a data breach like we typically use the term.

Sort of like the difference between me being tricked into giving away my ATM PIN and a hacker breaking into the bank system and taking money from my account.

Re:

[Idbar]

As a security advice:

Review the security features offered by the Chrome browser. If you donâ(TM)t already use Chrome, consider switching your browser to Chrome.

Nice try Google, nice try! But, I'll keep my Firefox :P

Re:

[1u3hr]

it isn't a data breach

Correct, it wasn't, at least not from Google. It relied on fooling users into logging in to counterfeit sites. So if you're implying Google failed to protect users' data, that's not the case. If people give up their passwords, it's their own fault.

Re:

[praxis]

I think what you mean is if users give up their passwords to a site that cannot have its identity verified, it's their own fault. Giving up your password to Google is practically a requirement for using their Gmail service. Until we have better browser user-interfaces for authenticating sites, it will be very hard to prevent phishing attacks that look authentic. Getting rid of the address bar is probably not one of those improvements.

Re:

[Shikaku]

Giving up your password

I really hope you don't use only 1 password.

Re:

[praxis]

I was not aware that Gmail allowed multiple passwords. I suppose I should have been more clear and said "Giving up your Gmail password to Google is practically a requirement for using their Gmail service."

Re:excellent PR by Google

[SpaceLifeForm]

That is because it was NOT a data breach at Google, but a phishing campaign.

Re:

[LordLimecat]

Yes, well, google should have installed antivirus on the several hundred million home PCs you seem to think theyre responsible for.

Re:

[micheas]

Ergo, chromeOS.

Re:

[tabdelgawad]

True, but it does highlight the danger of the government and enterprises moving their email service to Google and the 'cloud'. My company requires me to use an RSA token to log in to corporate mail or VPN, so simple phishing won't be successful. I'm aware of the recent RSA hack but in some ways, that's the point of two-factor authentication: you can completely compromise one factor but still have time to fix things before the other factor fails.

Re:

[Jouster]

Two-factor authentication disables replay attacks (after, typically, several minutes). It doesn't disable MitM attacks.

Re:

[Anonymous Coward]

You're being sarcastic but your comment taken literally is true on all counts. Even the headline. It is good PR: other email providers, like Hotmail or Yahoo, either would have glossed over this internally, or lacked the competence to even discover the systematic attack.

Re:

[AftanGustur]

it isn't a data breach

It may very well be a data breach for companies with employees that fell victim to the password-stealing campaign.

Not that Google is to blame here, but stating that "this isn't a data breach" is a big statement to make.

Re:

[AlienIntelligence]

Phishing is not a 'data breach'.

Mmm, yes, because EVERYONE collects passwords
like beanie babies right?

Oh wait...

-AI

Re:

[poptones]

Well it fucking happened to me and it sure feels like a data breach. This happened just the other day and they used my contacts folder to send spam (ONE PIECE) to everyone in my address book. This means they had access to every piece fo data saved in my account. If that isn't a data breach, what is?

Re:

[RobbieThe1st]

Erm, if they have your password, they have everything about you. That's not a data breach though. A data breach would be if Google lost a copy of their Gmail account DB, etc. Not just someone phishing for account passwords.

Re:

[innerweb]

How did you get phished?

Re:

[poptones]

I like to think I'm an experienced user (I'm 48 and used to be an admin), and I still don't know when or how it happened. Not a good feeling.

Re:

[Anonymous Coward]

Google only does that because they're completely forced to, and they've historically been very vocal in their resistance. They're NOT happy about it.

Re:

[AHuxley]

"Not happy about it" is sending in lawyers, PR teams and been very open about whats going on, not teaming up with the NSA.

Happened to My Wife

[friedmud]

My wife's Gmail account got caught up in this! Last weekend I received some spam from _her_ gmail account. We immediately logged in and Google said that it had detected suspicious behavior and made her reset her password. It then showed us the connection log... and everything looked normal except one particular connection: FROM CHINA!

We were pissed.... but it doesn't appear that anything else was compromised (she didn't have anything sensitive in her Gmail account luckily).

Things really seem to be escalating on the 'net lately... from PS Network to Lockheed and now to Gmail. I really have to wonder if China is _actively_ participating at this point...

Desperate people do desperate things

[currently_awake]

The world is currently in the early stages of a great depression. The huge increase in computer crime and the revolts in arab countries are just symptoms of that.

Re:

[MBGMorden]

I think there's a big difference in between saying "An guy is going to come on a cloud on a specific date and the faithful shall float off into the sky." and "The economy and world stability are in bad shape and some bad things are likely to happen in the near future.".

Re:

[xyphor]

Right. And The World Is Going To End On May 21, 2011. Oh wait, that passed. And nothing happened.

If I had mod points, I'd go with off-topic or troll, but since I don't I'll say this:

People who ignore the graveness of the world economy, and especially the USA's, should read up on it. You may think it does not affect you. It will. This isn't a religion or cult, it is mathematics.

Re:

[Anonymous Coward]

I kind of wonder how China's great firewall plays into plausible deniability for these things.

For example if China blocks civilian access to x service, and we see hacking attempts to x service originating from China, shouldn't there be a pretty good explanation?

Re:

[Miamicanes]

Keep in mind that China is a country with 4x the population of the US, and has at least the same percentage of corrupt politicians with ties into organized crime who can get the police, firewall-maintainers, and everyone else to look the other way when necessary.

Are there lots of attacks coming from China? Absolutely. Do the flourish there because the government is unwilling or unable to meaningfully fight them? Sure. Does China have its own government espionage agency with more or less the same goals as th

Re:

[buro9]

Have you guys not tried the 2 factor authentication yet?

http://googleblog.blogspot.com/2011/02/advanced-sign-in-security-for-your.html [blogspot.com]

I was afraid that my girl might find it difficult to use or overly technical, but once I explained how it worked and supported her through the setup of it, it's been working brilliantly.

Basically any new machine that you connect to Gmail from requires not just your password (something you know) but also the code generated from the supplied app (on our Android phones - somethi

Re:

[rgviza]

happened to me too. This is more than just a phishing campaign....

Re:

[Amouth]

if only it would happen - i hate the hurry up and wait game.

Hypocrites

[clampolo]

The real reason Google is upset about this is because China isn't paying them to get the information like everyone else. Google is pissed that China is cutting out the middle man.

Re:

[Anonymous Coward]

The real reason Google is upset about this is because China isn't paying them to get the information like everyone else. Google is pissed that China is cutting out the middle man.

[Citation Needed]

Re:

[SplashMyBandit]

Wrong. Google is not pissed about revenue loss. If they were worried about revenue loss they would have stayed in China, collected the advertising dollars in the growing market, and not given a sh!t about compromised users. Instead, they spurned the money on principle and withdrew from that market when the Chinese Government gave them crap conditions to operate under. Google's Sergei is particularly sensitive to repressive totalitarian governments like China because he grew up in the Soviet Union - and unde

Re:

[Anonymous Coward]

You might think it's stupid for a big company to take a principled stand like that, and generally it is, but that decision lined up with Google's future potential in Europe/America: Google is nearly unique (meaning doomed to fail) in the tech world in that it relies almost entirely on the amount of trust users place with Google. Other corporations can survive overwhelming bad publicity; Google can't, and it hasn't had to.

Gmail passwords collected so far..

[Megahard]

Password
passw0rd
123456
hunter2

Re:

[rritterson]

How did you see my password? I thought it only came up as ***s?

Oh, I get it, to you it shows up as ***s but to me it shows up as hunter2

Re:

[moniker127]

I has a 12 digit password with random characters, letters, and numbers interspersed throughout it, and I'm a victim of this, so it isn't a matter of the passwords being simple, its probably a cross-site exploit of some sort.

Re:

[steelfood]

hunter2

FYI, for the few who didn't get the reference. [bash.org]

Re:

[flimflammer]

hunter2

Shit. Time to change my passwords.

Re:

[guybrush3pwood]

Hilarious.

FYI, hunter2 reference: http://bash.org/?244321 [bash.org]

Wait a second, sport... you have bookmarks to bash.org?

hooray for report phishing

[drinkypoo]

If only it didn't take so many clicks more people would do it.

Maybe it's time anonymous...

[AlienIntelligence]

I'm just sayin, maybe turn the LOIC on China for a bit?

I think Sony may have learned at least a partial lesson now.

-AI

Re:

[AlienIntelligence]

Not your personal army...

Never claimed it was... but instead of JUST being
outraged that a corporation is going after 1 individual.

Or narrow-minded churches, et al.

I'm saying that placing some anger on an entire country
trying to hack our citizens seems like a good outlet
for their 'creative energy'.

-AI

Re:

[bbecker23]

I'm saying that placing some anger on an entire country trying to hack our citizens seems like a good outlet for their 'creative energy'.

Anonymous doesn't have citizens.

as well as notified...

[Threni]

"as well as notified the relevant government authorities.""

"Yeah, we know.... Uh.. I mean really? Collecting passwords, you say?"

credit cards have a feature

[circletimessquare]

where they won't let you use your credit card account abroad unless you phone ahead and tell them you will abroad and its ok if they start getting charges from bangkok or antigua

maybe it's time for email providers to do the same: "no logging into my account from foreign ip blocks unless i tell you its ok"

and the default for this protection should be "on". your average user won't take the time to hunt for this menu item and enable it

Re:

[hguorbray]

Sounds like it would stop the most direct attacks, but unlike credit card transactions, which can't be anonomized or proxied, a slighly more sophisticated attacker could just use a pwnd machine or proxy and they could appear to be coming from a nominally local block.

However, if this is state-sponsored, the PRC may be reluctant to allow use of those tools lest they become widespread enough to allow massive evasion of the Great Firewall...

I think eventually some combination of biometrics (hello Big Brother!),

mod parent up

[circletimessquare]

i hate facebook, but i'll be the first to agree with you that facebook deserves praise and admiration for initiating this genius account policy. good job facebook

Social engineering attack?

[Platinum Dragon]

Have any details been released? This sounds curiously like an e-mail-based phishing campaign, if the passwords weren't obtained from Gmail's own systems and they weren't exploiting a software vulnerability.

How do they know it's from China?

[voidness]

If I were hacker, I wouldn't let you track and always pretend to be an easy target to blame, like China. Only fool can tell exactly where the hacker is.

Steps to nuclear pwnage

[Datamonstar]

1. Declare "cyber-crime" against the government officially a war crime.
2. Release details on a not-so-friendly foreign nation's shady online behavior.
3. Boom???
4. Profit!!

This happened to me

[Charliemopps]

This happened to me but it was about a year ago. I went to check my gmail and it said it had recently been accessed from China. I immediately reset my password on every account that I had everywhere. Not that my passwords are the same, but with access to my gmail the attacker could change or find out my password for almost every site I visit. I have no idea how they figured out my password, I didn't use it elsewhere, it was a made up word, 9 digits long, with 2 numbers and a symbol in it. If they could gues

Re:

[Laser Dan]

This happened to me but it was about a year ago. I went to check my gmail and it said it had recently been accessed from China. I immediately reset my password on every account that I had everywhere.

I had heard that gmail started notifying people if the account was accessed from china, so I was interested to see what would happen when I went to china for a conference a few weeks ago.

Nothing.

There were no notifications or anything when I got back. I changed my passwords anyway because access to gmail from within china was suspiciously intermittant (monitoring?) while other non-blocked sites were normal.

Re:

[KiloByte]

Even if they added such notifications, it is so trivial for the bad guys to connect from IPs from any country they want. As a private person, there are many proxies you can use -- and if you have a botnet, you have millions of those on your own. And for a good portion of these attacks, even just a single proxy would be enough.

Re:

[thoughtsatthemoment]

I have no idea how they figured out my password,

They probably tricked Google into sending the password to them through the password reset process. They might've also hacked google people first and those people might have access to internal data. The lesson is, if you host your data on someone else's site, password strength is just one small factcor in securing your data.

Re:

[thoughtsatthemoment]

You are right about that. I meant to say the hacker could change your password of his/her choosing.

They need advice, not security: Don't use webmail!

[guanxi]

These people need professional advice, or common sense: Don't store highly valuable (i.e., dangerous to people's lives), confidential information on a free public webmail service!

Really, how hard is that to figure out? How many very well-publicized successful attacks has Google experienced, and they still haven't figured it out?

Re:

[LordSnooty]

These people need professional advice, or common sense: Don't store highly valuable (i.e., dangerous to people's lives), confidential information on a free public webmail service!

What evidence is there that the victims stored such information on public servers? A personal account with no work mails could still give enough info to compromise accounts elsewhere.

Re:

[guanxi]

I mean, don't use any webmail at all. Use your own local mail server.

Re:

[guanxi]

So, uh, I trust my security to... myself? Instead of someone whose job it is to keep on top of shit like this? Even my work offers webmail with their email addresses.

I think that is a valid issue (though I'm not sure what your workplace has to do with it, unless you work with top secret data). But I think it's overridden by the fact that Google and GMail are huge targets for attackers; that their service, by design, makes the confidential data accessible from any computer in the world via a web browser; that thousands of Google employees and contractors (I'm guessing at the number) have access to the data and/or physical access to the servers; and that you are putting l

Two factor authentication

[shmurfect]

Do it! [google.com]

Re:

[MBGMorden]

I would if it didn't involve a cell-phone. My cell phone battery dies far too frequently to rely on it. Honestly, if Google let me buy one of the key-fob authenticators like Blizzard sells I'd attach one of those, as the battery lasts plenty long enough.

Re:

[Kamiza Ikioi]

It let's you print off backup verification codes in case you lose your phone or the battery dies which you can put in your wallet, safety deposit box, or caved in mine shaft. Also, you can authorize a computer/ip for up to 30 days. So, as long as your phone is good at least once every 30 days, you'll be fine.

Why Gmail

[He who knows]

why do chinese political aktivists use gmail there are far more secure email systems they can use and why would miltiary and political officials use it when they have acces to government email systems except when they dont want their emails to be read and archived for the public intrest. Also why is it only Gmail that keeps on getting attacked by the chinese are they the only ones who mention it?

Re:

[recrudescence]

I've witnessed hacked hotmail accounts sending spam to their contacts regarding chinese electronics shops for years now. Maybe Gmail just cares enough to point out it's a problem.

Really?

[yoshi_mon]

Is anyone really surprised by this? I don't mean to cast aspersions on everyone in China but dammit if they don't have a huge right wing group of people who are hell bent on enforcing totalitarianism on not only themselves but the world at large.

And the kicker is that we have had our own group of people who viewed 1984 as a manual rather than a cautionary tail working since the 60's.

I'm sorry but for everyone that view the right wing slide as OK you are so wrong. So very wrong.

2-Factor Auth probably would have stopped this

[davide marney]

After harvesting your password, they would then try to change your forwarding and delegation settings. Since this would be done from their machine, they'd face a 2-factor challenge prompt from gmail which they could not meet, unless they had also stolen your phone.

2 Step Authentication

[Kamiza Ikioi]

I use Lastpass (which got hacked recently, but my LastPass crypto password was pretty secure). I also use the Google 2 Step Authentication. Once Facebok implements this as well, I will switch immediately. I log in to most sites with either Google or Facebook. I prefer Google, because it's usually just confirming the email, whereas apps that log in to Facebook want access to data, my wall, my friends, etc. That's as stupid, imo, as an app or site asking, "Login with Google, and give us permission to read your email and send email as you."

What many people don't know is that Google has some privacy features built in if you know where to look. At the bottom of the page it says something like:

Last account activity: 4 minutes ago at this IP (127.0.0.1). Details

Click Details and you'll see:

This account does not seem to be open in any other location. However, there may be sessions that have not been signed out.

Browser * United States (NY) (127.0.0.1) 5:45 am (0 minutes ago)
Browser United States (NY) (127.0.0.1) 5:39 am (5 minutes ago)
Mobile United States (NY) (127.0.0.1) 4:03 am (1.5 hours ago)
Mobile United States (CA) (127.0.0.2) 6:19 pm (11 hours ago)
Browser United States (NY) (127.0.0.1) Jun 1 (18 hours ago)
Mobile United States (NY) (127.0.0.3) Jun 1 (20 hours ago)

Now, unless you were in CA recently (or have a proxy), this shows that someone hacked your account 11 hours ago from California.

Click the "Sign out all other sessions" button, then go change your password ASAP and enable 2 Step Authentication if you haven't already.

Weiner

[GWBasic]

Let me guess? Weiner had his password stolen, and a private photo was leaked to twitter?

Re:...Wh..

[milkmage]

where the hell have you been?

"In its first formal cyber strategy, the Pentagon has concluded that computer sabotage by another country could constitute an act of war"

http://www.msnbc.msn.com/id/43224451/ns/us_news-security/t/sources-us-decides-cyber-attack-can-be-act-war/ [msn.com]

Re:

[Oxford_Comma_Lover]

The question is (1) at what point the origin of a cyber-attack presents presumptive evidence of state action that must be rebutted, (2) whether the absence of a showing that the state was not involved means that the US should be launching reprisal cyber-attacks against China. Also, (3) whether it does so already and we just don't hear about it.

At this point, there is a pattern of cyber-attacks on the US originating in China. If China does not hunt down the perpetrators, it should be considered complicit a

Re:

[gman003]

I would assume that the burden of proof needed to declare war over a cyber-attack is no different than that needed for a physical attack. The Pentagon was basically just saying "cyberattacks aren't exempted from war - we will retaliate as we would for any other attack".

Now, if China were to launch a large-scale cyberattack, we'd know it was them, because they would simultaneously launch all kinds of other military attacks. If it's big enough to cause major problems, it's big enough to leave a trail, and e

Re:

[AHuxley]

United States should strongly consider response in kind?
Russia learned in the early 1950s that its mil radio communication was under constant threat. They changed to one time pads and hardened their communications networks.
China did not leak much signal info during the cold war and if they where wise would not have much on any open networks now.
Why the US would have any info on open networks beyond honeytraps/boondoggle efforts is very strange/sloppy/dumb.

Re:

[rasmusbr]

The article says "The officials emphasize, however, that not every attack would lead to retaliation. Such a cyber attack would have to be so serious it would threaten American lives, commerce, infrastructure or worse, and there would have to be indisputable evidence leading to the nation state involved, NBC Pentagon correspondent Jim Miklaszewski said."

What that means in English is something like: If an hostile organization brought down the electric grid, or caused a meltdown in a nuclear plant, or caused a

Re:

[Nethemas the Great]

South Korea has a pivotal role in the whole North Korea issue. China is sort of like a "big brother" to North Korea and makes sure that no one is dealing unreasonably with it.

Re:

[bigpet]

Well I think China quite likes the idea of a communist country with a huge army as a buffer between them and the US-allied south.
But they are well-advised to not support them officially, since they don't want to get drawn in into a war with America currently as it supplies them with consumers for their products. Also in case they do supply North Korea with Intel they better do so under the condition that they not start a nuclear war since atomic mushrooms in your neighboring countries are never a good thing

Re:

[arisvega]

There cannot be a WW3 yet, because WW2 has not really finished- just diffused here and there. Like so, more or less [wikipedia.org].

Let's hope it is going to be over soon, though I hardly think so- unless a world war is defined as a war between superpowers.

Re:

[qubezz]

If the account was logged into from China, it was already Pwnd, it wasn't just "flagged". Getting the account back is a luxury - all the emails could have been wiped and the account deleted after child porn was sent to every contact in the contact list.