Russian Hackers using Google’s APM Service to hack Gmail Users

 

Everyone is crazy about hacking social media accounts of people, meanwhile, some target social media accounts of celebrities or high ranked officials of the country. Gmail has 1 Billion monthly active users and going on, Gmail is also used for official works by many officials.

If such email accounts can be hacked then it can reveal sensitive information too. Although Google leaves no chance to keep the users safe from getting hacked but being a human being is a vulnerability itself, a Human can be tricked. Even though Google has tough security for their user’s, Russian hackers managed to come up with a way to trick Google’s own security using its own infrastructure.

Researchers at Citizen Lab on 25th May exposed this Gmail hacking campaign by publishing a detailed report on the campaign.

The Researchers explained in the report that the Russian Government Hackers were using Phishing to hack Gmail users, and they targeted mainly journalists and activists critical of the Russian government, as well as people affiliated with the Ukrainian military, and high-ranking officials in energy companies around the world. The numbers say that they targeted around 200 victims of such kind.

How Does this Work?

 

The victim usually receives an email from Google claiming that someone has stolen their password and will ask the user to change the password.However, the email was not sent by Google and was found to be sent from the Hacker Group Fancy Bear or APT28 believed to be working for GRU (Russia’s Military Intelligence). The mail had a realistic look to be believed as a genuine email from Google Security Team.

The Change Password button was linked to a tiny.cc link which is a service used for shortening the URL. The trick here used by the hackers to make their phishing link look legitimate was using the Google’s Accelerated Mobile Pages service. The Service is actually used by Google to provide faster page load in the mobiles, which is done by copying the web page on Google’s server which also acts as an open Redirect.

 

Using Google’s AMP the hacker were able to convince the victim that the email was actually sent from the Google’s Security Team, because, when the victim will inspect the URL got open from the redirect he will find google.com/amp in the first, which will make him think that the URL is genuine however the link will be followed by tiny.cc/example in the URL. For an Example: https://www.google[.]com/amp/tiny.cc/example

The Researchers at Citizen Lab mentioned a Case of David Satter who is an American journalist and academic who’s written Soviet and modern Russia, and who has been banned from the country in 2014, On October 7, 2016, fell victim to a targeted phishing campaign, and mistakenly entered his password on a credential harvesting site.

Here is a mail he received.

 

fake email
taken from Citizenlab report
The Researcher said “It’s a percentage game, you may not get every person you phish but you’ll get a percentage.”
To avoid getting targeted by such campaigns one should always inspect the URL thoroughly and try to avoid clicking on a suspicious link in the emails or anywhere on web.
For more help and tips..Subscribe to our mailing list.

[wysija_form id=”1″]