Fake email
Over 3,000 organisations were affected by the attack iStock

The mass phishing scam that hit Google account holders this week has taken some bizarre twists and turns. The most shocking perhaps is that Google was warned of the possibility of such an attack six years ago but despite rewarding the security researcher who flagged the vulnerability, did not do enough to address it. In another interesting development a random Twitter user claimed responsibility for the mass phishing attack technique.

A security researcher from the US said that he had warned the tech giant about this attack vector in 2012, for which he then awarded a "modest bounty."

How many users were affected?

CNet reported that attack by unknown hackers affected 0.1% of Gmail users. Google boasts of over 1 billion users, indicating that nearly 1 million users may have been affected by the attack.

According to email security provider Agari, over 3,000 organisations were affected by the attack. "Based on information from the Agari Trust Network, we saw more than 3,016 organizations were compromised during the attack that sent 23,838 emails to Agari protected organizations," Agari told IBTimes UK.

"According to Agari's data, the attack began on 3 May at 18:19 UTC, was curtailed dramatically at 19:49 with activity dramatically reduced until 21:37 when it ceased. We believe "patient zero" (the first compromise organization to initiate large scale worm replication) was a small K-12 school in a small town in Wisconsin," the firm said.

Who launched the attack?

On 3 May, shortly after news of the phishing attack began spreading, a Twitter user, using an email address with the name Eugene Pupov -- a name which also happened to match the sender of the mass phishing scam -- claimed responsibility for the attack. The Twitter user claimed that the phishing emails were a "test" for his university research project and not part of a scam campaign.

The Twitter user claimed that he was a student with Coventry University. But, a report by Motherboard said the university confirmed that it has no student, current or old, by the name of Eugene Pupov. The Twitter account in question has been deleted, indicating that the individual who claimed the attack may have done it for a lark. It is not known if Twitter disabled the account or the user himself did it.

Google knew about the attack vector

Motherboard also said that, in 2012, security researcher Andre DeMarre had warned Google about the phishing technique, suggesting that the company address the issue by checking if the name of any given app matched the URL of the firm behind it. However, Google responded to DeMarre that they will not perform the URL validation. This decision was reportedly criticised by experts and DeMarre.

McAfee chief scientist Raj Samani told IBTimes UK, "Phishing attacks remain the most common method of manipulating individuals into clicking on links and ultimately installing malicious content onto their systems." He said such attackers try to take advantage of trusted, well-known brands' in an effort attempt to "leverage the use of authority, resulting in the incoming messages to appear trusted to the consumer."