4 min read
- State-sponsored phishing attacks
- Technical attribution of a recently-reported influence campaign from Iran
- Detection and termination of activity on Google properties
Due to the advanced techniques used by hackers, users are often tricked by an email camouflaged as a legitimate one. As a countermeasure, Google says it has invested in robust systems,
- For detecting any phishing or hacking attempts on user’s email network
- To identify influence operations launched by foreign governments
- To protect political campaigns from digital attacks via Google’s Protect Your Election program.
Google’s Threat Analysis Group is working with their partners at Jigsaw and Google’s Trust & Safety team to identify bad actors and disable their accounts. The group will further warn users about these bad actors, and also share intelligence with other companies and law enforcement officials.
State-sponsored phishing attacks
Email phishing is the most common yet the most popular attack. Google has improved their security policies for Gmail users such as automated protections, account security (like security keys), specialized warnings, and so on. Google, via these attempts, plans to significantly decrease the volume of phishing emails that get through to its users.
On 20th August 2018, Google issued a series of notifications to Gmail users who were subject to suspicious emails from a wide range of countries. They posted about the different warnings about Government-backed phishing on their blog post and asked users to take immediate actions if they came across the attack or pop-up mentioned.
FireEye detected suspicious Google accounts linked to Iran
Google has also integrated with FireEye cybersecurity group, and other top security consultants, to provide them with intelligence. FireEye’s recent help to Facebook by detecting the identified suspicious accounts with links to Russia and Iran is worth mentioning.
For the last two months, Google and Jigsaw have worked closely with FireEye on the influence operation linked to Iran that FireEye identified last week. FireEye identified some suspicious Google accounts (three email accounts, three YouTube channels, and three Google+ accounts), which were swiftly disabled.
Google Security team suspects the malicious actors are linked to IRIB
In addition to FireEye’s intelligence report, Google’s team have investigated a broader range of suspicious actors linked to Iran who has engaged in setting up the malicious accounts. Following this, Google has informed the U.S. lawmakers and law enforcement agencies about the results of their investigation, including its relation to political content in the United States.
Google’s technical research team further identified with evidence that these actors are associated with the IRIB, the Islamic Republic of Iran Broadcasting.
Their observations are as follows:
- Technical data associated with these actors is strongly linked to the official IRIB IP address space.
- Domain ownership information about these actors is strongly linked to IRIB account information.
- Account metadata and subscriber information associated with these actors is strongly linked to the corresponding information associated with the IRIB, indicating common ownership and control.
Detecting and terminating activity on Google properties
All content influenced by the malicious actors violating Google’s policies are swiftly removed from Google services and terminates these actors’ accounts. It also uses several robust methods, including IP blocking, to prevent individuals or entities in Iran from opening advertising accounts.
Google identified and terminated a number of accounts linked to the IRIB organization that disguised their connection to this effort, including while sharing English-language political content in the U.S., these include:
- 39 YouTube channels that had 13,466 total US views on relevant videos
- 6 blogs on Blogger
- 13 Google+ accounts
The state-sponsored phishing attacks and the actors associated with the IRIB are not the only state-sponsored actors at work on the Internet. Google had also disclosed information about actors linked to the Internet Research Agency (IRA) in 2017. They detected and removed 42 YouTube channels, which had 58 English-language political videos (these videos had a total of fewer than 1,800 U.S. views).
Read more about Google’s plan to protect users against phish attacks on their Safety & Security blog.