Jun2 |
1:38 pm (UTC-7) | by
Nart Villeneuve (Senior Threat Researcher) |
Google recently revealed details surrounding a successful phishing campaign that targeted the Gmail accounts of government officials and of political activists. While there has been significant media coverage of the incident, there has been a variety of recent attacks on popular Webmail platforms. In addition to Gmail, Hotmail and Yahoo! Mail have also been targeted. While the attacks appear to have been separately conducted, these have some significant similarities.
Strategy 1: Launch Spearphishing Attack
The objective of the attackers appears to be to gain access to the target’s Webmail accounts in order to monitor his/her communications and, possibly, to stage future attacks. In the recent case revealed by Google, the attackers used a phishing attack to gain access to the target’s Gmail account then proceeded to add their own email addresses to the “forwarding and delegation settings,” allowing them to send and receive email messages via the compromised accounts.
These attacks were actually first revealed by Mila Parkour back in February. She found that in addition to monitoring the compromised account’s email account, the attackers also used a script that exploits theres:// protocol to enumerate the type of antivirus software the victim has installed on his/her computer. This information can then be used to stage a future attack that aims to take control of the target’s computer, not just his/her Gmail account.
Trend Micro recently uncovered a malware that also uses the res:// protocol to enumerate the software installed in targets’ computers, setting the stage for future more precise attacks. Once the attackers know what software are installed on a target’s computer, including antivirus products, they can craft a precise attack targeting any vulnerable software. Such an attack will then have a high probability of success.
Strategy 2: Exploit Webmail Vulnerabilities
In addition to this recent phishing attack, Google also previously revealed that attackers are exploiting a vulnerability in the MHTML protocol in order to target political activists who use Google’s services. At the same time, Google revealed that the same technique was being used against users of “another popular social site.”
While this other website has not been identified, Greg Walton reported that this MHTML exploit was being directed against Gmail users and that the initial phishing message was being propagated through Facebook. These attacks targeted journalists and political activists. Like the recent phishing attacks, the attackers modified the delegation settings so they can continue to monitor the compromised Gmail accounts.
Google’s services haven’t been the only ones targeted. Trend Micro researchers in Taiwan revealed a phishing attack that exploited a vulnerability in Microsoft’s Hotmail service. In fact, rather than clicking a malicious link, even the simple act of previewing the malicious email message can compromise a user’s account. This phishing email pretended to be from the Facebook security team.
 |
In addition to Gmail and Hotmail users, Yahoo! Mail users have also been targeted. We recently alerted Yahoo! of an attempt to exploit Yahoo! Mail by stealing users’ cookies in order to gain access to their email accounts. While this attempt appeared to fail, it does signify that attackers are attempting to attack Yahoo! Mail users as well.
 |
The same email address that attempted to exploit Yahoo! Mail was used in targeted attacks featuring malicious Mirosoft Excel spreadsheets in March. This demonstrates the diversity of exploits that are available to attackers.
These events demonstrate that in addition to targeted attacks that encourage users to open malicious attachments, usually .PDF and .DOC files, attackers are also attempting to exploit vulnerabilities in popular Webmail services in order to compromise Webmail accounts, to monitor communications, and to gain information in order to stage future attacks.
These attacks can be difficult to defend against because these often appear to come from recognizable sources. However, there are some clues that can help identify phishing email messages. There are generally spelling and grammatical errors present in the messages that help indicate that it did not originate from the expected source. To know more about targeted malware attacks, you may read the post, “How Sophisticated Are Targeted Malware Attacks?”
In addition, while the malicious links may contain keywords like “google,” “hotmail,” or “yahoo,” these will actually be links to third-party websites that can be easily spotted. The use of two-step verification processes (which Google offers for Gmail) can also help defend against such attacks. Finally, tools that protect browsers from the execution of malicious scripts such as Trend Micro Browser Guard can help mitigate these threats.
Lastly, you can watch this fun video about phishing:
Share this article |
 |
        |
19 Responses to “Targeted Attacks on Popular Webmail Services Signal Future Attacks”
Trackbacks
- Hotmail and Yahoo users also victims of targeted attacks | CIOPakistan.com - Business Technology Leadership
- Hackers atacam também Hotmail e Yahoo, diz empresa « @Mídia – Blog
- Usuarios de Hotmail y Yahoo, también bajo ataques dirigidos — ALT1040
- Plaats hier software gerelateerd nieuws! - Page 34
- Colégio Estadual Professora Ubedulha Correia de Oliveira
- No sólo de Google, cuentas de Hotmail y Yahoo también fueron hackeadas | www.Netmedia.info
- Usuarios de Hotmail y Yahoo también fueron víctimas del ataque revelado por Google - FayerWayer
- Report: Gmail Attacks Replicated on Hotmail, Yahoo « The Joe Lake Blog The Joe Lake Blog
- FaustoCepeda (Fausto Cepeda)
- Usuarios de Hotmail y Yahoo, también bajo ataques dirigidos | Central de Punto de Ventas
- 4 Security Tips Spurred by Recent Phishing Attacks on Gmail, Hotmail, and Yahoo | Datacentre Management . org
- China warns Google over attack claims: Does it matter though? | ZDNet
- Hotmail y Yahoo! Mail afectadas por un ataque de phishing
- » Hotmail e Yahoo sofrem ataques semelhantes ao do Gmail » SocialMX Marketing em Redes Sociais e Criação de Sites
- China warns Google over attack claims: Does it matter though? « Near Field Communications / Smart mCommerce
- Patience And The Art Of Spear Phishing | eWEEK Europe UK
- Trend Micro Asia Pacific News Library - Targeted Attacks on Popular Webmail Services Signal Future Attacks
- Neues Hotmail-Phishing | mynetx
June 5th, 2011 at 2:12 am
Gentlemen:
I read your recent notice about becoming aware of Webmail attacks on Yahoo Mail. It may come as a surprise to you, but this is not news. This has been going on for a long time and yahoo has kept it secret. I know this for a fact because my Yahoo email was hacked late in 2010 and the hacker got my id and password and took over my account and changed my security answers, then emailed my contact list and asked for money telling them I was in London and stranded at the airport needing cash. The attack came from the Seychelles. The attacker got control of my email by getting a keyboard logger into my computer and tracked the key strokes I used. I never got my email account recovered as Yahoo is not cooperative with its customers. Actually they are the worst to deal with and they keep all the information about being hacked quiet. Their email is not secure and I will never open another account with them again. I did not know at first that the hacker had control of my account. So I sent emails to my contacts and warned them I had been hacked. The hacker then sent me viruses that attacked my windows system and disabled windows. I got it back up by reinstalling and repairing windows. Then I was attacked again same way. I performed another repair with my windows reinstall disk. Then I dumped my antivirus because it was disabled by the hacker. I downloaded your hijack this and house call and began cleaning up my system. Then I downloaded a new antivirus from another source and cleaned up my computer again. It took me two days to clean up the hackers dirty work. Then I got a new email from Google that is HTTPS.
Then I called my contacts by telephone direct and put them on notice. Lucky for them they had antivirus that was still working. It took several months to get Yahoo to close the email account to take it away from the hacker. Those people at Yahoo just do not give a damn. I contacted them so many times I got sick of wasting my time to no avail. I know the hacker was working my account from the Seychelles because the emails sent to me with virus's had full headers which I examined closely which came from there. I gave those full headers to Yahoo, but what a bunch of fumble heads.
I now scan my computer regularly with HIjack this to look for startup up lines that are out of the norm. Thanks for creating that program.
Restore by microsoft is no longer used by me because once a virus gets into the backups, it becomes a problem all its own. I believe it is actually better to do a windows repair and overwrite the problem and do a sweep for malware and virus's. I am happy to answer any questions you may have of my experience in this matter.
I can tell you for sure that all of my problems occurred while I had Yahoo email and no problems since I dumped them as the provider. I do not even use them as a search engine any longer. I even informed them that they were about to be on the losing end of the stick because I would tell everyone I knew about my problem with them if they did not help fix the problem. They ignored me. Word travels fast, and a recent review of their present financial condition appears like they do not know how to keep customers, as they lost me and likely many others. Happy customers do not jump ship.
I believe it is important that users become aware that Yahoo has kept the hacker attacks quiet to keep from damaging their business. Meanwhile their customers like myself had hackers stealing all the info in our email account with them and using it to gain control over our information.
Identity theft comes to mind in this situation, and the identities of my contacts and their private information. Yahoo did not seem to care.
Thanks for listening.
FS