#FF00AA

With help from affected users, we determined that the cause was a phishing scheme, a common method used by malicious actors to trick people into sharing their sensitive information. Attackers sent customized e-mails encouraging web domain owners to visit fraudulent websites such as “google-hosts.com” that they set up purely to harvest usernames and passwords. […]

Several news stories referenced a domain theft from December 2007 that was incorrectly linked to a Gmail CSRF vulnerability. We did have a Gmail CSRF bug reported to us in September 2007 that we fixed worldwide within 24 hours of private disclosure of the bug details. Neither this bug nor any other Gmail bug was involved in the December 2007 domain theft.

And I see no reason to doubt any of this. Like I wrote in my comments about the news coverage, the simplest and most efficient way to hack anything has always been social engineering; it’s much more efficient to harvest logins and passwords in bulk and check out who owns domain names than to set up hidden filters on every Gmail account you can possibly hack and request random GoDaddy password reminders, hoping to hit one of the accounts you’ve hacked. Or, even less efficient, target a specific domain owner.

The hidden forwarding filters weren’t the essence of the hack; they were just set up as a convenience, so that the attackers would minimize the time they had to spend logged in on the web interface, and to make sure that the victim wouldn’t also receive the transferral confirmation messages through POP, IMAP, or accidentally opening their Gmail page at the exact right moment.

By the way, Gmail does favor that kind of hacking in that it never deletes an e-mail unless you insist very hard; so that an attacker with access to your archive is sure to find out whether you have domain names, and where. Chances are they’ll even find a password reminder in there without having to request it. Assuming your registrar password isn’t the same as your Google account, of course.

And Google is also contributing to Gmail fishing by using the same credentials on all their sites. It’s bad enough that social networking gizmos ask for your Google or Hotmail password so that they can “conveniently” read your address book; the more legit, distinct services exist where you are supposed to input your Google credentials (including App Engine sites), the more easily people will give them to anyone who asks.

Now… should I be scared that the “google-hosts.com” example given in their blog reminds me of something? Or is there a legitimate address that sounds like it?

I don’t usually type my passwords when I have any doubt on who’s asking (I even changed my Twitter password after I found out that an iPhone application stored it on the developer’s server without warning), but nobody’s above making a mistake sometime.

And, I, like, totally change my Gmail password every week. No, every day. Like, I’ve always had an iCal alert reminding me to change it every six hours (along with my domain name passwords, server access credentials, and credit card number).

You know that all the passwords in the world are useless if you’ve truthfully answered the “secret question,” right?

P.S. Cross-promoting Blogspot is nice and all, but when I’m arriving to googleonlinesecurity.blogspot.com from TechMeme, how the hell am I supposed to be sure it’s an actual official Google blog?