Google: Domain Thefts Not Caused By Gmail Vulnerability

It’s not unusual for companies to take a "move along, nothing to see here" approach to discussing problems; PR departments don’t want people to dwell on such things. Only in this case, Google seems to be making honest use of the sentiment as it’s busted a rumor about a Gmail vulnerability and domain theft.

About a week ago, reports first started to circulate that a hacker could gain control of Gmail accounts and move from them to GoDaddy accounts. The number of folks claiming to have been affected by this trick grew, and press coverage increased. Sooner or later, the hubbub seemed sure to create a measurable dent in Gmail’s market share.

Information Security Engineer Chris Evans investigated the issue and has responded on the Google Online Security Blog, however, writing, "Our results indicate no evidence of a Gmail vulnerability. With help from affected users, we determined that the cause was a phishing scheme . . . . Attackers sent customized e-mails encouraging web domain owners to visit fraudulent websites such as ‘google-hosts.com’ that they set up purely to harvest usernames and passwords."

Evans then continues, "Once attackers gained the user credentials, they were free to modify the affected accounts as they desired. In this case, the attacker set up mail filters specifically designed to forward messages from web domain providers."

Try to be careful more careful than ever about what sites you visit, then, but don’t believe that there’s any special reason to abandon Gmail.

There are 5 Comments. Add Yours.

RealStudio Webdesign
November 26, 2008 at 1:05 pm

Everybody should know that you’re not supposed to give away user and pass … And there’s no escuse to not checking the url where you have the input form, especially if you get there from a link within an email ….

Then again, there are many out there who are convinced that no-reply@host.com is a real email adress …. Tought to say. But google is definetly not the only one affected by phishing attack.

My guess is that all these fake sites will have a new bust, especially with credit cards and e-payment account. Hope i’m wrong!
- Yeoville
  November 27, 2008 at 4:34 pm
  
  Sorry, but phishing is first and foremost a criminal problem. I agree that naivety, foolishness and carelessness make us fall into the trap. The other big mistake we users make is not protecting our PCs, thus allowing them to be attacked and used by criminals to attack other users.
George Hooper
November 28, 2008 at 12:58 am

If google had a system to report scam emails this could have been reported and stopped much sooner,
Sam Nichols
December 20, 2008 at 4:54 pm

I remember there were some problems with Gmail some time ago, with a blogger that had the same issue. Maybe is the same problem here?
Used Pontiac
April 24, 2009 at 4:19 pm

Evans then continues, “Once attackers gained the user credentials, they were free to modify the affected accounts as they desired. In this case, the attacker set up mail filters specifically designed to forward messages from web domain providers.