Report: Cyberattackers hit Google staff via friends

Report: Cyberattackers hit Google staff via friends

Summary: People behind the China-based online attacks of Google and other companies looked up key employees on social networks and contacted them pretending to be their friends to get the workers to click on links leading to malware, according to a report.

People behind the China-based online attacks of Google and other companies looked up key employees on social networks and contacted them pretending to be their friends to get the workers to click on links leading to malware, according to a published report on Monday.

"The most significant discovery is that the attackers had selected employees at the companies with access to proprietary data, then learned who their friends were," the Financial Times reported. "The hackers compromised the social network accounts of those friends, hoping to enhance the probability that their final targets would click on the links they sent."

The attackers used a popular instant-messaging program to distribute the malware link to target employees, George Kurtz, chief technology officer at security firm McAfee, told the Financial Times. The malware exploited a hole in Internet Explorer that Microsoft patched just last week.

For more on this story, read "Report: Attackers sent Google workers IMs from 'friends'" on CNET News.

Topics: Malware, CXO, Collaboration, Google, Security, IT Employment, Social Enterprise

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • It looks like the Village Idiots over at Google

    have alot to explain about.

    Imagine trusting our data to their network, managed by Village Idiots that are going to use that same network to "hang out with their friends", and load backdoors into the system.

    It's time Google took the security of people's data [i][b]seriously.[/b][/i]
    John Zern
    • Village Idiots

      They cannot take security serious, otherwise they would have to stop tracking everybody that uses Google, which includes Goggle Search. Impossible!
    • If I understand you correctly...

      you are saying that if you use Google services, it is like standing on the corner with your pants down, waiting for someone to kick you where it hurts.
      Loverock Davidson
      • Hey, that's good. I forgot about that one! (nt)

        John Zern
      • Well, let us just hope that Google is smart enough to get rid of all

        Windows and IE installations after this, as any
        company that cares about security should.

        But, YES, Google has no place to hide here, they
        should have know that the minute they allowed
        Windows and IE in the building, they had their
        pants down.
        • HAHA! You're stewing now!

          DB, don't you realize what has happened?

          You have become [b][i]the joke![/i][/b]
          John Zern
    • Yes, ANYBODY would look like the village idiot using Microsoft software

      anywhere were security is important in any way.
      This makes Google look very bad. You can bet that
      they will make sure that nobody is using Windows
      or IE inside of Google for anything other than
      compatibility testing.

      Also, you can bet that they will be giving courses
      on social engineering attacks, and how to avoid
      being duped.
  • Not just Google.

    But every cloud provider of any size will eventually if not already fall to attacks such as this. If you put your data in the cloud you are trusting people you don't know with the future of your organization. If your data is in the cloud, chances are it has already been compromised. And it is up for sale. Your future is up for sale.

    Networks the size of Google cannot be managed securely because too many people have access. This won't be the last time this happens. As a matter of fact it is unlikely that Google has actually contained the full extent of the breach. Attacks such as this most likely require shutting down major parts if not all of the network to totally eradicate the trojans hiding in the lurch. You can bet data is still being leaked.
    • I agree.

      All it takes is [i]one[/i] person with some type of access to make a tiny mistake, and next thing you know it: back door!

      Even with all the checks and balances, I'd really, [b]really[/b] be surprised if some orginization figured out everything in terms of security.
      John Zern
  • Social Networking just makes Social Engineering Easier

    In most of the environments I've worked in in the last 30 years, it isn't the network, the servers, the services or anything else that has lead to more intrusions and data compromise than undereducated or uncaring USERS!
    From the time back in the 1980s when a coworker (fellow nerd) landed a beautiful girl friend, who just so happened to be East German, to being a contractor and sitting at a users desk and asking questions about all the 20 pictures of thier favorite dog, to the simple phone call where you say, "Hello, this is Bob from the IT department, we seem to be having some issues ensuring you have access to all of your resources......we need you to log in and tell us exactly what you're typing so we can track the process...."

    All of these have and will continue to work.

    Most folks know not to open attachments from people you don't know, but when the hacker mines the social networks it becomes even more difficult for a user to tell friend from foe.

    A word of caution to all you networkers out there:
    DON'T network using your corporate accounts and don't check your personal mail at work.

    A word of caution to the companies out there:
    DON'T PERMIT external mail checks from internal systems. This includes webmail.

    There are necessary variences to these rules, but even then you can mitigate them by not opening any unexpected attachments from any of your networked "friends" until you've asked them if they in fact actually sent them.

    For some of my more critical clientelle where I've had to bend the rules, I've requested that they change a key phrase in the body of the message only when they are certifying an attachment; such as:
    Change "Best regards," to "Best regards, and wishes," to signal a valid inclusion.
  • Just the incentive needed to create a secure OS

    Why isn't security at the top of the list when making an OS? We've had viruses for nearly a quarter of a century now. Certainly someone can make a rock-solid OS that forces all programs below it to go through it for verification before accessing I/O ports.

    Or is there no money in it?
    • Incentive to break.

      '...OS that forces all programs below it to go through it...'

      What do you suppose Windows, or OSX or Linux etc is? Supposedly the OS has control and executes program instructions by feeding them to the processor piecemeal. Its a program itself and its job is to do as its told, quietly.

      The problem isnt the OS, its the user. For example, try to build yourself a shelving unit in your garage that is easily upgradeable, strong enough to take engine parts and wont tip over if you overload it. Its not easy, but probably possible with a lot of design and effort - but it only takes a determined idiot moments to find a way of hurting themselves with it.
      You'd be perfectly safe because you'd use it for what it was intended and within tolerance.

      Most computer users are clueless as to these tolerances and break things, coupled with determined attempts to break things by criminals means that the OS is a lot better designed after those years than you'd like to think. I remember programs that barfed when you typed letters into a numeric field, but since the OS handles this it doesnt happen. It takes cleverly crafted input designed to confuse the program dealing with the information to make it barf, and thats not the OS.

      Half the problem is that it is software - anything made can be unmade, and software is designed to be made and unmade easily. Hardware security is the obvious choice to combat unwanted changes but that then means it cant easily be remade if it breaks or is breached.

      Security is pointless, we should look to fixing the element that is wrong, those who scam and steal and break for fun - its not just computers that they affect.

      Or perhaps get rid of money... O.o
    • You HAVE to try Linux Mint 8....nt....

  • Employees at Google use IE?

    • About Google.

      Google uses Linux exclusively. Check the
      Netcraft listing of the top 100 websites in the
      world. Google has most of the top 100. If
      there were any security issues at Google, it
      would corrode the very foundation of that
      supremacy. You would see Google's site visit
      count drop dramatically.


      From the above chart of the top 100, you can
      really see, when it comes to security, Microsoft
      is history. MS could never sustain those

      Like every other reported malady, the problem
      isn't with Google, OpenOffice, Firefox, Opera or
      Chrome, it's with Microsoft and IE. IE is
      horrible, I can't understand why anyone would
      still be using it, especially after all the
      recent developments.

      Geez, I've had Gmail since it was introduced. I
      have over 37,000 archived emails (about 20% have
      1-8 MB) attachments. Google increased the size
      limit on attachments to 20 MB. If Outlook was
      handling my email, the computer would be jumping
      up and down on the desk from viruses. :-)
      • Are you saying

        "Like every other reported malady, the problem
        isn't with Google, OpenOffice, Firefox, Opera or
        Chrome, it's with Microsoft and IE."

        So your saying that all these products are built on top of IE. Last I checked, these were stand-alone products with their own unique issues and bugs.
        • No, I know they have nothing to do with IE.

          What I was trying to illustrate is that I have
          used Linux for 8 years. My family has also gone
          along for the ride with no complaints.

          During that time, Firefox, OpenOffice, Opera and
          recently Chrome have also been available for

          So, when you install Linux Mint, you
          automatically get the current version of Firefox
          and OpenOffice suite. In fact, after running
          the package update on Linux Mint 8, I am
          automatically updated to version 3.5.7.

          So all the articles appearing on ZDNET over the
          years for say, FireFox, have tried to blame the
          browser for intrinsic faults in Windows. Linux
          versions don't present these problems. Sure,
          there are issues with memory, where the browser
          may crash, but you don't have security worries.

          If someone is using Windows with IE and they
          install OpenOffice, the issues relate to Windows
          having holes in it, not necessarily from
          OpenOffice because the Linux sister version is
          doing just fine.

          You have to understand that IE
          is an intrinsic part of Windows and cannot be
          separated from it or deleted. That's why they
          were sued and lost.

          So, your Windows security
          problems can be traced back to IE even if you
          don't use it. A similar connectivity is
          also present in MS Office Suite. They have to
          patch MS Office because people can take total
          control of the computer due to it's nature.
          It's not just a separate program, it's a mess.

          They are trying to protect MS reputation by
          blaming applications. The truth is the
          applications should have never been written for