wordpress blog stats
Connect with us

Hi, what are you looking for?

India one of the most affected by Russian govt-backed Gmail phishing campaign: Google

Read all about the deceptive methods of attackers that were uncovered by a specialised Google team.

India, apart from the United States of America and the United Kingdom, was one among the most affected countries that were allegedly targeted by a Russian government-backed APt28/Fancy Bear Gmail phishing campaign, according to a report by Google’s Cybersecurity Action Team.

The report, a first of its kind, said that Google’s Cybersecurity Action Team observed a large-scale attack of a credential phishing campaign targeting more than 12,000 Gmail accounts by this threat actor. Fancy Bear earlier used to target Yahoo! and Microsoft users, the report said. Other countries that were targeted include Canada, Russia, Brazil, and members of the European Union.

This is a sign that state-sponsored cyber-attacks are a reality today. Not just in the United States, but as this research shows, closer home in India; it was reported last year by India Today and Times of India that power substations in Maharashtra and Telangana were attacked by Chinese hackers. These attacks on critical infrastructure indicate a paradigm shift in modern warfare. It warrants a massive overhaul of a country’s cyber defense capabilities and a need for more transparency in the process.

How exactly did Fancy Bear target users?

The attackers were using patterns similar to TAG’s (threat analysis group) government-backed attack alerts to lure users to change their credentials on the attacker’s controlled phishing page. The attackers kept changing the emails’ subject line but attackers used a variation of Critical security alert — Google report (emphasis ours)

Body of the phishing email that users received | Source: Google

Phishing campaign impersonated legitimate Google login pages

Phishing and spear phishing campaigns continue to use login pages that impersonate legitimate Google login pages to steal credentials — Google report

Google’s cybersecurity team observed that the attacker-controlled credential phishing image looked similar to a Google login page.

Attacker-controlled phishing page that looks similar to a Gmail login page | Source: Google

However, upon closer inspection, the report found that the fonts in the phishing page did not match the fonts on the legitimate Google-owned page. “This was because the attackers tried to reuse their Yahoo! toolkit and left various Yahoo! artifacts in the Gmail HTML login page…” the report added.

Phishing messages were sent from compromised mail servers

After finding that the phishing messages were sent from compromised mail servers, the report said that this was a change from previous campaigns taken up by Fancy Bear on Yahoo!. There, the threat actor had used “some variant of spoofing to send emails”.

Advertisement. Scroll to continue reading.

Sending an email from an email account that one doesn’t control is called email spoofing, according to Fraudmarc, “Essentially, the attacker is claiming the sender’s identity and abusing their credibility to trick the victim into taking some action,” the website explains.

In Gmail, a majority of the messages go through the sender policy framework (SPF). Techterms defines SPF as an email authentication system designed to prevent email spoofing. “One significant difference between legitimate emails from the compromised mail servers and phishing messages was the domain part of MessageId which is different and unique for every email address domain,” the report added.

Google’s recommendations to protect from such phishing campaigns

  • Workspace customers and Gmail users should validate that they are providing credentials to legitimate Google sites.
  • Employ two-factor authentication.
  • Register on Google’s Advanced Protection Program which users security keys such as Feitian MultiPass FIDO Security Key, and Yubico FIDO U2F Security Key.

Also read:

Have something to add? Post your comment and gift someone a MediaNama subscription.

Written By

Among other subjects, I cover the increasing usage of emerging technologies, especially for surveillance in India

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Looking at the definition of health data, it is difficult to verify whether health IDs are covered by the Bill.


The accession to the Convention brings many advantages, but it could complicate the Brazilian stance at the BRICS and UN levels.


In light of the state's emerging digital healthcare apparatus, how does Clause 12 alter the consent and purpose limitation model?


The collective implication of leaving out ‘proportionality’ from Clause 12 is to provide very wide discretionary powers to the state.


The latest draft is also problematic for companies or service providers that have nothing to with children's data.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ