Adtech firm also sent 12k phishing warnings to users of its services
Google has said it fired off 12,000 warnings to unlucky users of its GMail, Drive and YouTube services telling them that they’re being phished by state-backed hackers.
The ad tech firm’s Threat Analysis Group (TAG) said in a blog post that between July and September it told people in 149 countries around the world that they were being “targeted by government-backed attackers”, adding that this was consistent with the same number of warnings sent during the same periods of 2017 and 2018.
“Over 90 percent of these users were targeted via ‘credential phishing emails’, wrote Google’s Shane Huntley, who gave an example of one of these phishing emails having been sent from “Goolge”.
TAG went on to highlight a Russian state-sponsored hacking crew named Sandworm* which in 2017 started deploying Android-based malware to the Google Play store and evolved over time to simply phishing and compromising legit devs before deploying malicious updates to previously trusted apps. Google’s TAG, naturally, said they detected this and stopped Sandworm from doing these bad things.
Kevin Bocek, threat intelligence veep from Venafi, said:
“The most troubling of [Google TAG’s] examples was that [Sandworm] was able to compromise code signing keys from a legitimate app developer, via a phishing email, and add its own backdoor into an app... This just shows the power of code signing, it’s like a god that machines trust blindly. As more and more hackers see the potential, and ease, for misusing keys and certificates we'll see more of these attacks. We must ensure in the software build process code signing and machine identities are protected”