An independent security researcher who was among the first to investigate a large scale phishing attack aimed at U.S. government and military personnel says that attackers controlled victim accounts for months and repeatedly phished victims during that time.
Mila Parkour, a Washington D.C. based independent says that victims of the account takeovers were repeatedly phished over almost a year by attackers believed to be located in China. Parkour said in an instant message conversation with Threatpost on Thursday that the group or individuals responsible for the attack controlled those accounts for more than a year and repeatedly targeted both the legitimate account owner and his or her associates during that time.
Victims of the attack included government and military personnel in the U.S. and Asian nations, as well as human rights activists and journalists in China and elsewhere, Google said on Wednesday.
Parkour is an IT administrator who lives in Washington D.C. She does malware research in her free time. Her blog, Contagiodump, was credited by Google with bringing the spear phishing e-mails to light. Parkour told Threatpost that she “collects samples from victims and other researchers” then posts them on the blog for sharing and analysis. She posted on the spear phishing e-mails in February not because they were unusual, but because of the sensitive nature of who they targeted.
According to Parkour, the attackers used spoofed e-mail addresses and information harvested from the victims’ accounts to engage in “mini conversations” with their victims.
“They used personal knowledge for some phishes…they were very persistent and invasive,” she said, tailoring the spoofed sender address to the recipient based on knowledge gleaned from the compromised accounts.
Among other things, the attackers continued to try to harvest other online credentials from victims – user names and passwords – using the same technique they used, successfully, to gain access to- and control over the users’ Gmail accounts.
“They would send a new message with the same type (of) password harvesting technique. Sometimes even the same message sometimes (a) new (message),” said Parkour.
Google said in a blog post on Wednesday that it had disrupted the campaign, which it traced to Jinan, China. The campaign affected hundreds of Gmail users, using malware and phishing attacks to harvest user login credentials. The campaign appears to have been designed to monitor the content of users’ email correspondence.
Parkour said she felt that Google did a good job unraveling the scheme and to find other victims of it. “It looks like they exhausted all the leads and found out as much as they could to address it before going public,” she said.