Google’s security team is using its malicious traffic detection capabilities to warn its users if they are in danger...
of falling victim to a state-sponsored attack.
Our detailed analysis—as well as victim reports—strongly suggest the involvement of states or groups that are state-sponsored.
Eric Grosse, vice president of security engineering at Google
The Internet giant will first alert a user with a warning banner that it suspects malicious activity associated with the account. The alert also flags the account in Google’s systems for additional safeguards to verify the authenticity of the user, said Eric Grosse, vice president of security engineering at Google.
“When we have specific intelligence—either directly from users or from our own monitoring efforts—we show clear warning signs and put in place extra roadblocks to thwart these bad actors,” Grosse wrote, describing the new Google security warning feature in the Google Online Security blog.
Grosse cautioned that the warning does not mean the account has been hijacked by an attacker. “It just means we believe you may be a target, of phishing or malware for example, and you should take immediate steps to secure your account,” he wrote.
Similar malicious activity warnings are issued by Microsoft, Yahoo and other websites when a problem is suspected, but the Google feature is the first time a warning targets victims of state-sponsored cyberespionage. Google did not reveal how it determines if suspicious activity is state-sponsored. Grosse said the company doesn’t want to give away too many details to bad actors. “Our detailed analysis—as well as victim reports—strongly suggest the involvement of states or groups that are state-sponsored,” he wrote.
Last summer, Google unveiled a malware warning system to alert users of infections. The system can detect activity from Microsoft Windows machines that could signal a malicious software infection. The system warns users with a banner when signed into their account. Google started the program at the time to try to disrupt the practice of trying to taint search results and trick users into visiting a malicious webpage and downloading rogue antivirus software.
Google uses a mixture of proprietary malware detection technology and an engineering team to detect malicious activity affecting its users and systems. The process was described by a Google engineer in a 2010 presentation at the SecTor conference in Toronto.
Google's website malware detection systems are built using virtual machines running Windows and Internet Explorer. The system monitors and logs all network traffic. New processes, newly written files and registry writes are flagged, along with the infected user accounts or website, and downloaded files are scanned with antivirus software. The collected information is then blended with data collected by Google's crawlers.