UPDATE: A previous version of this story reported that Cyphort found 300,000 stolen credentials on a Gmail server. This figure was incorrectly reported by the firm and has been corrected to the adjusted number, 2,500 stolen credentials, in this story.
Details have been disclosed on a five-year-old phishing campaign where in attackers have pilfered victims’ login credentials from Google, Yahoo, Facebook, Dropbox and Skype.
Dubbed NightHunter by researchers at the security firm Cyphort, the campaign is ongoing but has previously targeted log-ins from users from finance, sales and HR departments at firms in the energy, education, and the insurance sector – along with charities. At this point it’s unclear exactly why the attackers were stealing the data, outside of collecting it for potential future threats and fraud.
“The use of low-signal evasion it is leveraging such as webmail for data exfiltration points to much larger end-goal,” McEnroe Navaraj, a security researcher with the firm, wrote in a blog.
The campaign relies on Simple Mail Transfer Protocol (SMTP) or e-mail, to do its data exfiltration. The campaign also uses several keyloggers, such as Predator Pain, Limitless, and Spyrix, to siphon off credentials. The keyloggers are able to perform a handful of directives, including obfuscation, the clearing of browser data, taking screenshots and product disabling.
“Email to social networking is like snail-mail is to email, it is outdated and often overlooked, so it can be a more stealthy way of data theft,” Navaraj said.
The keyloggers are passed off through phishing emails with vague HR-related subject lines like “Jobs List,” “PO,” “Order” and “Inquiry.” The emails are accompanied by malicious .DOC, .ZIP and .RAR attachments but Navaraj claims the company has also seen it bundled with IDM/7zip installers as well.
When executed, the .NET binary steals users credentials and sends them to a remote email server.
Thousands of the stolen credentials were hidden, at least temporarily, on servers belonging to Gmail; 2,500 samples – some first seen as far back as 2009 – were spotted on Google’s smtp.googlemail.com/smtp.gmail.com server when the researchers checked in with the campaign last week.
Because the number of Gmail samples was so high, Cyphort decided to man-in-the-middle the traffic flowing to the site in its malware lab and found that many samples used code level obfuscation to help delay the analysis.
“Gmail seems to be the most popular email server used by the criminals to “park” the victim data in recent times,” Navaraj wrote, “The reason for larger number of samples using Gmail is probably (or likely) due to the popularity of Gmail and because most security products somehow ‘whitelist’ Google/Gmail traffic/activity making it easy to hide this email in the volume of emails sent out to Gmail.”
Navaraj adds that Gmail also imposes a steady level of restrictions, like how many times emails can be sent on a particular day. This may have prompted the attackers to open new Gmail accounts to be able to keep sending malware.