Photo: Mario Anzuoni / Reuters |
That, and while the targeted attacks—technically dubbed "spear phishing" attempts—were carried out independently, the methods were eerily similar to those employed against Google, says security vendor Trend Micro.
"Phishing" is a method for acquiring sensitive information illicitly by tricking random users into providing sensitive information by masquerading as a service they trust. "Spear phishing" is basically the same thing without the random part.
Google warned users earlier this week it had been the victim of a spear phishing attempt, and that "the personal Gmail accounts of hundreds of users" may have been compromised. The company said it had traced the attacks to China (China denied involvement) and that the perpetrators absconded with the login details of hundreds of senior U.S. and Asian government officials, military personnel, journalists and Chinese political activists.
Addressing the attack methodology, Trend Micro speculates the objective of the attacks was "to gain access to the target's Webmail accounts in order to monitor his/her communications and, possibly, to stage future attacks." What's more, Google's revelations weren't exactly new. TM says such attacks were actually first revealed by blog contagio last February.
And then we're on to Microsoft's Hotmail, where TM says its researchers in Taiwan exposed a phishing scam on May 13th. The attack methodology? Similar to the Gmail scam, where the attacks were propagated through Facebook. But in Hotmail's case, the issue was deadlier: Simply previewing the spear phishing email—designed to resemble an official security dispatch from Facebook—was enough to expose a user's Hotmail account.
In Yahoo! Mail's case, hackers attempted to pilfer cookies from users to pry open email accounts. TM says the attempt "appeared to fail," but points to prior attacks against Yahoo! Mail users as evidence hackers are employing multiple methods to accomplish similar goals.
It's getting increasingly touch-and-go out there, in other words, so if you're not following a "best practices" security strategy, now's the time to think about implementing one.
Source: techland.time.com