Following the speculations on the resurrection of what's thought to be an already fixed Gmail flaw which could assist in domain name hijackings, yesterday Google commented that their investigation indicated that the recent domain hijacks should be attributed to a phishing campaign, rather than to a Gmail flaw. The phishers was silently adding filter rules to the compromised Gmail accounts, then resetting the passwords so that the accounting data for a particular service or a domain would be quietly forwarded to the attacker's mailboxes.
"With help from affected users, we determined that the cause was a phishing scheme, a common method used by malicious actors to trick people into sharing their sensitive information. Attackers sent customized e-mails encouraging web domain owners to visit fraudulent websites such as "google-hosts.com" that they set up purely to harvest usernames and passwords. These fake sites had no affiliation with Google, and the ones we've seen are now offline. Once attackers gained the user credentials, they were free to modify the affected accounts as they desired. In this case, the attacker set up mail filters specifically designed to forward messages from web domain providers."
Phishing campaigns impersonating Google are in fact becoming so prevalent, that an entire market segment within the underground economy is starting to emerge, which is primarily trading with stolen AdSense accounts. Access to these accounts is obtained either through data mining already infected with malware hosts part of their botnet, or through plain simple phishing campaigns taking advantage of typosquatting in order to visually social engineer an end user, consider the following examples :
adwords.google.com.index.main.update .qwertycn.cn adsense.google.com.server.main.update .dirty-boy.cn edit.google.com.main.update .the-format.cn google.com.urchin.js .7traff.cn google.com.urchin.js .axa1.cn adwords.google-secutiyserv .com google.com.br.updatesoftware.index.d81f0f02cd6a877358cde8fbdbad89a5 .qwertycn.cn google.com.updatesoftware.index.d81f0f02cd6a877358cde8fbdbad89a5 .rootit2.info adwords.google.com.session-69680268279998252722.92444537268559875865 .com68.ru
Two weeks ago, Google quietly fixed a critical XSS vulnerability affecting its accounts login page, which at the time was providing a fully realistic opportunity for malicious attackers to turn into "cookie monsters" and hijack user's sessions on a large scale.