In addition to widely publicized attacks targeting the Gmail accounts of government officials and activists, Trend Micro reported yesterday that Yahoo! Mail and Hotmail are being targeted with similar but separate attacks as well.
The report, on Trend Micro’s Malware Blog on Thursday, was the first to suggest that the spear phishing attacks leveled at Gmail users extended to other free, Web based e-mail providers as well. The objective of the attacks on Yahoo! and Hotmail users appears the same as those of the Gmail hackers reported by Threatpost yesterday. Attackers tried to access accounts and monitor the communication of their owners. In Gmail’s case, the attackers set up forwarding rules so that they could easily collect their victims’ email communications.
In all the reported cases, the attackers have used two general methods. In the first they launched spear-phishing campaigns to get their initial access into these accounts. Then they spread out, sending more phishing emails from those infected accounts to the contacts of first tier victims. In the reported cases, hackers targeted MHTML vulnerabilities within Google’s services, and according to Google, the services of “another popular site” to compromise host computers with malicious programs.
Google didn’t name that site, but other reports have pointed fingers at Facebook. Furthermore, Trend Micro claims that their researchers in Taiwan discovered attacks leveraging similar exploits in Hotmail that can be launched simply by previewing an email without following any links. Trend Micro has informed Yahoo of failed attempts at staling users’ cookies in order to hijack their email accounts.
According to independent malware researcher Mila Parkour, who was among the first to study the spear phishing campaign, attackers placed a script on victims’ machines that was intended to reveal which, if any, anti-virus product that person was using. This information could then be used to move beyond the victims’ email accounts and launch more effective attacks specially tailored to avoid AV detection. Trend Micro now claims they have uncovered similar malware in other attacks not linked to Google or Gmail.
Spear phishing attacks are nothing new, and the hacks of Google and other Web based email providers aren’t novel – though their victims tend to be. Surreptitious and long-term account hijacks now it appear to be another tool in the toolbelt of sophisticated attackers, who can monitor communication to and from victim accounts and collect valuable user data over a period of time in order to launch highly personalized attacks later.