Days after Google disclosed several high-profile Gmail accounts had been hit by a phishing campaign, reports have emerged of similar attacks against other Web-based email providers.
Hotmail and Yahoo Mail have also been targeted with similar phishing attacks, Nart Villeneuve, a senior threat researcher at Trend Micro, wrote in a June 2 blog post. Villeneuve believed the attacks were conducted separately.
Like the assault on Gmail, the perpetrators were trying to gain control of user accounts on other Web mail services in order to monitor communications. Some of the attacks also have another objective: to find out what sort of security software was installed on the user’s system. The information would help attackers plan future assaults, according to Villeneuve.
“There have been a variety of recent attacks on popular Web mail platforms. In addition to Gmail, Hotmail and Yahoo! Mail have also been targeted,” Villeneuve wrote on the Trend Micro blog.
The initial phase appears to be a targeted email that redirected users to a fake site designed to trick users into entering their log-in credentials. With the information in hand, the attacker can log in to the account to change certain settings that allow them to monitor all outgoing mail. The Gmail attackers entered the email address that they control under the “forwarding and delegation settings,” which allows them to send and receive email messages without having to ever log back into the accounts. Hotmail keeps the forwarding features under “Email forwarding” in Options. Only users who have upgraded to Yahoo Mail Plus have the option to forward their messages to another address.
This is why when users know their accounts have been hacked, it’s not enough to just reset the password. It’s important to check that the attackers aren’t forwarding all messages to rogue email addresses.
The scam also involves running a script that exploited the res:// protocol to discover the type of antivirus software that is running on the system the victim is using. This could be the victim’s personal machine or even a public terminal in a university or library. The res:// protocol has been part of the Internet Explorer Web browser since version 4.0 and can be used to access resources inside an executable (EXE) or library (DLL) file on the computer.
Malware that exploits the res:// protocol are used to craft customized attacks that “have a high probability of success,” Villeneuve said. By relying on this two-pronged method, attackers can gain full control over the victim’s PC, not just the Web mail account.
In addition to spear phishing, the attackers appeared to be looking at Web vulnerabilities to target political activists, Villeneuve said. The Gmail account was similar to an attack targeting Hotmail users in Taiwan. The malicious email, which masqueraded as a message from the Facebook security team, could take over the user’s account simply by previewing it.
In another incident, adversaries tried to steal user cookies in order to access Yahoo Mail accounts without needing to crack users’ log-in information or passwords. Trend Micro alerted Yahoo to the attack. “While this attempt appeared to fail, it does signify that attackers are attempting to attack Yahoo! Mail users as well,” said Villeneuve.
The Yahoo Mail attackers were also behind a different spam campaign that featured malicious Microsoft Excel spreadsheets back in March, according to Trend Micro.
“These attacks can be difficult to defend against because these often appear to come from recognizable sources,” Villenueve said. There are some clues that can help identify phishing emails, such as spelling and grammatical errors.
In addition, while the malicious links may contain keywords like “google,” “hotmail,” or “yahoo,” these will actually be links to third-party Websites that can be easily spotted. The use of two-step verification processes can also help defend against such attacks.