1:38 pm (UTC-7) | by Nart Villeneuve (Senior Threat Researcher)
Google recently revealed details surrounding a successful phishing campaign that targeted the Gmail accounts of government officials and of political activists. While there has been significant media coverage of the incident, there has been a variety of recent attacks on popular Webmail platforms. In addition to Gmail, Hotmail and Yahoo! Mail have also been targeted. While the attacks appear to have been separately conducted, these have some significant similarities.
Strategy 1: Launch Spearphishing Attack
The objective of the attackers appears to be to gain access to the target’s Webmail accounts in order to monitor his/her communications and, possibly, to stage future attacks. In the recent case revealed by Google, the attackers used a phishing attack to gain access to the target’s Gmail account then proceeded to add their own email addresses to the “forwarding and delegation settings,” allowing them to send and receive email messages via the compromised accounts.
These attacks were actually first revealed by Mila Parkour back in February. She found that in addition to monitoring the compromised account’s email account, the attackers also used a script that exploits theres:// protocol to enumerate the type of antivirus software the victim has installed on his/her computer. This information can then be used to stage a future attack that aims to take control of the target’s computer, not just his/her Gmail account.
Trend Micro recently uncovered a malware that also uses the res:// protocol to enumerate the software installed in targets’ computers, setting the stage for future more precise attacks. Once the attackers know what software are installed on a target’s computer, including antivirus products, they can craft a precise attack targeting any vulnerable software. Such an attack will then have a high probability of success.
Strategy 2: Exploit Webmail Vulnerabilities
In addition to this recent phishing attack, Google also previously revealed that attackers are exploiting a vulnerability in the MHTML protocol in order to target political activists who use Google’s services. At the same time, Google revealed that the same technique was being used against users of “another popular social site.”
While this other website has not been identified, Greg Walton reported that this MHTML exploit was being directed against Gmail users and that the initial phishing message was being propagated through Facebook. These attacks targeted journalists and political activists. Like the recent phishing attacks, the attackers modified the delegation settings so they can continue to monitor the compromised Gmail accounts.
Google’s services haven’t been the only ones targeted. Trend Micro researchers in Taiwan revealed a phishing attack that exploited a vulnerability in Microsoft’s Hotmail service. In fact, rather than clicking a malicious link, even the simple act of previewing the malicious email message can compromise a user’s account. This phishing email pretended to be from the Facebook security team.
In addition to Gmail and Hotmail users, Yahoo! Mail users have also been targeted. We recently alerted Yahoo! of an attempt to exploit Yahoo! Mail by stealing users’ cookies in order to gain access to their email accounts. While this attempt appeared to fail, it does signify that attackers are attempting to attack Yahoo! Mail users as well.
The same email address that attempted to exploit Yahoo! Mail was used in targeted attacks featuring malicious Mirosoft Excel spreadsheets in March. This demonstrates the diversity of exploits that are available to attackers.
These events demonstrate that in addition to targeted attacks that encourage users to open malicious attachments, usually .PDF and .DOC files, attackers are also attempting to exploit vulnerabilities in popular Webmail services in order to compromise Webmail accounts, to monitor communications, and to gain information in order to stage future attacks.
These attacks can be difficult to defend against because these often appear to come from recognizable sources. However, there are some clues that can help identify phishing email messages. There are generally spelling and grammatical errors present in the messages that help indicate that it did not originate from the expected source. To know more about targeted malware attacks, you may read the post, “How Sophisticated Are Targeted Malware Attacks?”
In addition, while the malicious links may contain keywords like “google,” “hotmail,” or “yahoo,” these will actually be links to third-party websites that can be easily spotted. The use of two-step verification processes (which Google offers for Gmail) can also help defend against such attacks. Finally, tools that protect browsers from the execution of malicious scripts such as Trend Micro Browser Guard can help mitigate these threats.
Lastly, you can watch this fun video about phishing:
Share this article