Login
Google says it recently fixed an authentication weakness that allowed crooks to circumvent the email verification required to create a Google Workspace account, and leverage that to impersonate a domain holder at third-party services that allow logins through Google’s “Sign in with Google” feature.
Last week, KrebsOnSecurity heard from a reader who said they received a notice that their email address had been used to create a potentially malicious Workspace account that Google had blocked.
“In the last few weeks, we identified a small-scale abuse campaign whereby bad actors circumvented the email verification step in our account creation flow for Email Verified (EV) Google Workspace accounts using a specially constructed request,” the notice from Google read. “These EV users could then be used to gain access to third-party applications using ‘Sign In with Google’.”
In response to questions, Google said it fixed the problem within 72 hours of discovering it, and that the company has added additional detection to protect against these types of authentication bypasses going forward.
Anu Yamunan, director of abuse and safety protections at Google Workspace, told KrebsOnSecurity the malicious activity began in late June, and involved “a few thousand” Workspace accounts that were created without being domain-verified.
Google Workspace offers a free trial that people can use to access services like Google Docs, but other services such as Gmail are only available to Workspace users who can validate control over the domain name associated with their email address. The weakness Google fixed allowed attackers to bypass this validation process. Google emphasized that none of the affected domains had previously been associated with Workspace accounts or services.
“The tactic here was to create a specifically-constructed request by a bad actor to circumvent email verification during the signup process,” Yamunan said. “The vector here is they would use one email address to try to sign in, and a completely different email address to verify a token. Once they were email verified, in some cases we have seen them access third party services using Google single sign-on.”
Yamunan said none of the potentially malicious workspace accounts were used to abuse Google services, but rather the attackers sought to impersonate the domain holder to other services online.
In the case of the reader who shared the breach notice from Google, the imposters used the authentication bypass to associate his domain with a Workspace account. And that domain was tied to his login at several third-party services online. Indeed, the alert this reader received from Google said the unauthorized Workspace account appears to have been used to sign in to his account at Dropbox.
Google said the now-fixed authentication bypass is unrelated to a recent issue involving cryptocurrency-based domain names that were apparently compromised in their transition to Squarespace, which last year acquired more than 10 million domains that were registered via Google Domains.
On July 12, a number of domains tied to cryptocurrency businesses were hijacked from Squarespace users who hadn’t yet set up their Squarespace accounts. Squarespace has since published a statement blaming the domain hijacks on “a weakness related to OAuth logins”, which Squarespace said it fixed within hours.
Nikita Kislitsin, formerly the head of network security for one of Russia’s top cybersecurity firms, was arrested last week in Kazakhstan in response to 10-year-old hacking charges from the U.S. Department of Justice. Experts say Kislitsin’s prosecution could soon put the Kazakhstan government in a sticky diplomatic position, as the Kremlin is already signaling that it intends to block his extradition to the United States.
Nikita Kislitsin, at a security conference in Russia.
Kislitsin is accused of hacking into the now-defunct social networking site Formspring in 2012, and conspiring with another Russian man convicted of stealing tens of millions of usernames and passwords from LinkedIn and Dropbox that same year.
In March 2020, the DOJ unsealed two criminal hacking indictments against Kislitsin, who was then head of security at Group-IB, a cybersecurity company that was founded in Russia in 2003 and operated there for more than a decade before relocating to Singapore.
Prosecutors in Northern California indicted Kislitsin in 2014 for his alleged role in stealing account data from Formspring. Kislitsin also was indicted in Nevada in 2013, but the Nevada indictment does not name his alleged victim(s) in that case.
However, documents unsealed in the California case indicate Kislitsin allegedly conspired with Yevgeniy Nikulin, a Russian man convicted in 2020 of stealing 117 million usernames and passwords from Dropbox, Formspring and LinkedIn in 2012. Nikulin is currently serving a seven-year sentence in the U.S. prison system.
As first reported by Cyberscoop in 2020, a trial brief in the California investigation identified Nikulin, Kislitsin and two alleged cybercriminals — Oleg Tolstikh and Oleksandr Vitalyevich Ieremenko — as being present during a 2012 meeting at a Moscow hotel, where participants allegedly discussed starting an internet café business.
A 2010 indictment out of New Jersey accuses Ieremenko and six others with siphoning nonpublic information from the U.S. Securities & Exchange Commission (SEC) and public relations firms, and making $30 million in illegal stock trades based on the proprietary information they stole.
[The U.S. Secret Service has an outstanding $1 million reward for information leading to the arrest of Ieremenko (Александр Витальевич Еременко), who allegedly went by the hacker handles “Zl0m” and “Lamarez.”]
Kislitsin was hired by Group-IB in January 2013, nearly six months after the Formspring hack. Group-IB has since moved its headquarters to Singapore, and in April 2023 the company announced it had fully exited the Russian market.
In a statement provided to KrebsOnSecurity, Group-IB said Mr. Kislitsin is no longer an employee, and that he now works for a Russian organization called FACCT, which stands for “Fight Against Cybercrime Technologies.”
“Dmitry Volkov, co-founder and CEO, sold his stake in Group-IB’s Russia-based business to the company’s local management,” the statement reads. “The stand-alone business in Russia has been operating under the new brand FACCT ever since and will continue to operate as a separate company with no connection to Group-IB.”
FACCT says on its website that it is a “Russian developer of technologies for combating cybercrime,” and that it works with clients to fight targeted attacks, data leaks, fraud, phishing and brand abuse. In a statement published online, FACCT said Kislitsin is responsible for developing its network security business, and that he remains under temporary detention in Kazakhstan “to study the basis for extradition arrest at the request of the United States.”
“According to the information we have, the claims against Kislitsin are not related to his work at FACCT, but are related to a case more than 10 years ago when Nikita worked as a journalist and independent researcher,” FACCT wrote.
From 2006 to 2012, Kislitsin was editor-in-chief of “Hacker,” a popular Russian-language monthly magazine that includes articles on information and network security, programming, and frequently features interviews with and articles penned by notable or wanted Russian hackers.
“We are convinced that there are no legal grounds for detention on the territory of Kazakhstan,” the FACCT statement continued. “The company has hired lawyers who have been providing Nikita with all the necessary assistance since last week, and we have also sent an appeal to the Consulate General of the Russian Federation in Kazakhstan to assist in protecting our employee.”
FACCT indicated that the Kremlin has already intervened in the case, and the Russian government claims Kislitsin is wanted on criminal charges in Russia and must instead be repatriated to his homeland.
“The FACCT emphasizes that the announcement of Nikita Kislitsin on the wanted list in the territory of the Russian Federation became known only today, June 28, 6 days after the arrest in Kazakhstan,” FACCT wrote. “The company is monitoring developments.”
The Kremlin followed a similar playbook in the case of Aleksei Burkov, a cybercriminal who long operated two of Russia’s most exclusive underground hacking forums. Burkov was arrested in 2015 by Israeli authorities, and the Russian government fought Burkov’s extradition to the U.S. for four years — even arresting and jailing an Israeli woman on phony drug charges to force a prisoner swap.
That effort ultimately failed: Burkov was sent to America, pleaded guilty, and was sentenced to nine years in prison.
Alexei Burkov, seated second from right, attends a hearing in Jerusalem in 2015. Image: Andrei Shirokov / Tass via Getty Images.
Arkady Bukh is a U.S. attorney who has represented dozens of accused hackers from Russia and Eastern Europe who were extradited to the United States over the years. Bukh said Moscow is likely to turn the Kislitsin case into a diplomatic time bomb for Kazakhstan, which shares an enormous border and a great deal of cultural ties with Russia. A 2009 census found that Russians make up about 24 percent of the population of Kazakhstan.
“That would put Kazakhstan at a crossroads to choose between unity with Russia or going with the West,” Bukh said. “If that happens, Kazakhstan may have to make some very unpleasant decisions.”
Group-IB’s exodus from Russia comes as its former founder and CEO Ilya Sachkov remains languishing in a Russian prison, awaiting a farcical trial and an inevitable conviction on charges of treason. In September 2021, the Kremlin issued treason charges against Sachkov, although it has so far refused to disclose any details about the allegations.
Sachkov’s pending treason trial has been the subject of much speculation among denizens of Russian cybercrime forums, and the consensus seems to be that Sachkov and Group-IB were seen as a little too helpful to the DOJ in its various investigations involving top Russian hackers.
Indeed, since its inception in 2003, Group-IB’s researchers have helped to identify, disrupt and even catch a number of high-profile Russian hackers, most of whom got busted after years of criminal hacking because they made the unforgivable mistake of stealing from their own citizens.
When the indictments against Kislitsin were unsealed in 2020, Group-IB issued a lengthy statement attesting to his character and saying they would help him with his legal defense. As part of that statement, Group-IB noted that “representatives of the Group-IB company and, in particular, Kislitsin, in 2013, on their own initiative, met with employees of the US Department of Justice to inform them about the research work related to the underground, which was carried out by Kislitsin in 2012.”
FreshRSS 