Apparently my gmail page was hacked and infected by the clickjacking worm/trojan/bot. After months (April? August to date)struggling with an undetectable (by AV/computer pros) clickjacking problem, I infected a new laptop computer by clicking on the link to my sophos AV download on my gmail page. No mail downloaded, no other link clicked, used different network, was running mcafee that came with the computer.
No I had not updated windows as yet.
Because of the months of problems, I was hoping to get sophos installed before I did anything else. I have obtained NO HELP or acknowledgment from Gmail. Another user wrote that he had been infected by the PER_SALITY.JER virus, tracked back to his Gmail. Minor attention was given to my report of the associated google desktop problems (uninstalled GDT ASAP, greyed out GDT swirl near cursor recurred suspiciously, related to attempts to scan with online AV, etc. I am still infected with the clickjacker. However gmail is now forwarded to a paid address site with no new infections acquired from reading email.
I also used google documents and infected a different computer from that site.
Gmail ignores issues, fails to respond to information provided by users or requests for help. Google was excellent, now I am concerned about the entire concept, and their inability to maintain the necessary security.
Following the speculations on the resurrection of what’s thought to be an already fixed Gmail flaw which could assist in domain name hijackings, yesterday Google commented that their investigation indicated that the recent domain hijacks should be attributed to a phishing campaign, rather than to a Gmail flaw. The phishers was silently adding filter rules to the compromised Gmail accounts, then resetting the passwords so that the accounting data for a particular service or a domain would be quietly forwarded to the attacker’s mailboxes.
“With help from affected users, we determined that the cause was a phishing scheme, a common method used by malicious actors to trick people into sharing their sensitive information. Attackers sent customized e-mails encouraging web domain owners to visit fraudulent websites such as “google-hosts.com” that they set up purely to harvest usernames and passwords. These fake sites had no affiliation with Google, and the ones we’ve seen are now offline. Once attackers gained the user credentials, they were free to modify the affected accounts as they desired. In this case, the attacker set up mail filters specifically designed to forward messages from web domain providers.”
Phishing campaigns impersonating Google are in fact becoming so prevalent, that an entire market segment within the underground economy is starting to emerge, which is primarily trading with stolen AdSense accounts. Access to these accounts is obtained either through data mining already infected with malware hosts part of their botnet, or through plain simple phishing campaigns taking advantage of typosquatting in order to visually social engineer an end user, consider the following examples :
adwords.google.com.index.main.update .qwertycn.cn
adsense.google.com.server.main.update .dirty-boy.cn
edit.google.com.main.update .the-format.cn
google.com.urchin.js .7traff.cn
google.com.urchin.js .axa1.cn
adwords.google-secutiyserv .com
google.com.br.updatesoftware.index.d81f0f02cd6a877358cde8fbdbad89a5 .qwertycn.cn
google.com.updatesoftware.index.d81f0f02cd6a877358cde8fbdbad89a5 .rootit2.info
adwords.google.com.session-69680268279998252722.92444537268559875865 .com68.ru
Two weeks ago, Google quietly fixed a critical XSS vulnerability affecting its accounts login page, which at the time was providing a fully realistic opportunity for malicious attackers to turn into “cookie monsters” and hijack user’s sessions on a large scale.
