Security

When Google Attacks

Leave a comment

The CEO of Mocality, an online database in Kenya, has written a detailed report on why he believes his company has caught Google engaging in predatory and fraudulent practices.

It starts with a simple sting operation.

We made some changes to the site:

For visitors from the 41.203.221.138 address, we changed the code to serve slightly different content 10% of the time.

Instead of the real business phone number, we served a number that fed through to our call centre team, where the incoming calls would also be recorded. Our team were briefed to act like the business owners for the calls.

We switched the new code on December 21st.

When we listened to the calls, we were beyond astonished.

Basically when their servers saw access to their database coming from Google in Mountain View they swapped in special phone number that went to the Mocality call center. A call then would come from someone trying to sell a Getting Kenyan Businesses Online (GKBO) website. GKBO was just launched by Google last September.

Mocality says they thought this would be a rogue employee case when they started the investigation but their fear has become far more serious.

I did not expect to find a human-powered, systematic, months-long, fraudulent (falsely claiming to be collaborating with us, and worse) attempt to undermine our business, being perpetrated from call centres on 2 continents.

Mocality sting graph

Google’s response, on Google+, has been vague

We were mortified to learn that a team of people working on a Google project improperly used Mocality’s data and misrepresented our relationship with Mocality to encourage customers to create new websites. We’ve already unreservedly apologised to Mocality. We’re still investigating exactly how this happened, and as soon as we have all the facts, we’ll be taking the appropriate action with the people involved.

Mocality’s CEO has updated his complaint to acknowledge the apology. But he is still asking questions. This might be the toughest one for the giant company to investigate

Apparently, the calls were made by a 3rd party vendor. I can see how this was the case for the activity we saw in Kenya, but the Indian activity seemed to come from Google’s own network. I know (from friends who are Googlers) how preciously that network is guarded. How was a 3rd party given access to it?

It begs the old question of Google complaints against attacks said to originate in China. Although the breaches were blamed on software flaws and human failure, it also was hinted in private that Aurora attacks first were related to weak VPN access controls in remote offices passing through a flat network. Mocality may have pulled a thread that will unravel more serious issues with the Google perimeter…

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.