Security Boffins Smell Phish in Hotmail, Yahoo

Gmail is not the only e-mail service whose users have been targeted by spear-phishing hackers. Users at Yahoo Mail and Hotmail are also on the email infiltrators’ hit lists, according to security firm Trend Micro.

The attacks on the latter two email systems appear to be separately conducted, said Nart Villeneuve, senior threat researcher at Trend Micro. However, they contain significant similarities with the recently seen attacks on Gmail users.

Earlier this week, Google disclosed that some of its Gmail users’ accounts had been breached by hackers using highly targeted spear phishing methods to gain access to and spy on their email exchanges. Though the list of victims is relatively short, Google claims it includes high-profile individuals like government officials, journalists and Chinese human rights activists.

As a method of stealing personal information, spear phishing has been going on for quite some time.

“These attacks occur all the time,” Rod Rasmussen, president and chief technology officer of Internet Identity, told TechNewsWorld.

“It would have been shocking if Gmail was the only email system targeted by this kind of attack,” Mike Paquette, chief strategy officer at Top Layer, remarked.

Phishing attacks and other forms of abuse are “a persistent industry challenge,” John Scarrow, general manager of Microsoft Safety Services, told TechNewsWorld.

So far, only Google has apparently made a public complaint, in which it also claims the hacks originated in China, kicking off a war of words between the Washington and Beijing.

However, the identity and origin of the attackers may not be easy to pinpoint accurately.

“It’s not difficult for the attackers to mask their true location and appear to be coming from locations in other countries,” Nart Villeneuve, a senior threat researcher at Trend Micro, pointed out.

Phishing attacks and other forms of abuse are “a persistent industry challenge,” John Scarrow, general manager of Microsoft Safety Services, told TechNewsWorld.

Google and Yahoo did not respond to requests for comment by press time.

About the Gmail Attack

Google has previously said the latest attack hijacked hundreds of users’ Gmail accounts through spear phishing.

Spear phishing is a targeted attack in which users are lured to click on a link embedded in an email or an attachment to an email with a subject line that may be of interest to the victim. Rather than the vague and general information contained in a typical phishing email scam, spear phishers use information specific to the victim in order to gain that person’s trust.

In some cases, the subject line appears to be work-related; in others, it appears to be from a friend or a courier company such as Federal Express, or it could be salacious — whatever works, in other words.

“Targeted emails that tempt a user to click a hyperlink are among the most prevalent methods of infecting computers with malware or of stealing information,” Top Layer’s Paquette told TechNewsWorld.

This is not the first attack on Gmail users; back in March, Google blogged about an attack using an MHTML vulnerability. This vulnerability let attackers load up a malicious document that could execute JavaScript into MHTML.

MHTML is a container format that uses MIME encapsulation to combine several documents into a single file. It’s used by Internet Explorer, which had the MHTML vulnerability.

Attacks on Yahoo and Hotmail

Users of the Hotmail and Yahoo Mail services were also targeted by phishing attacks, Trend Micro’s Villeneuve told TechNewsWorld.

In the case of Yahoo Mail, the attackers sent an email that contained two attachments, Villeneuve disclosed.

One was a malicious document and the other an unsuccessful cross-site scripting exploit attempt designed to steal the user’s Yahoo Mail cookie in order to access the user’s account, Villeneuve stated. However, the attacker’s code “did not function correctly,” he said.

Microsoft sidestepped the question of whether or not Hotmail account holders had been spear-phished.

“Microsoft is not aware of any Hotmail customers being targeted by the specific phishing attacks that occurred earlier this week,” Scarrow said.

Attackers can expect no mercy from Redmond.

“We actively prosecute malicious entities that violate the law through spam, phishing and other attacks,” Scarrow said.

Practicing Safe Email Access

Attacking people’s personal webmail accounts may give hackers access to vital information.

Many people check their personal webmail accounts at work, which lets attackers gain information about the target to use in later attacks, Villeneuve said.

People who check their personal webmail accounts from their office computers also open the door to attackers gaining information about the network the user is on, through tactics such as using the “res://” protocol, and using that information in later attacks, Villeneuve stated.

To minimize the threat from such email attacks, users should use a multi-step login process, IID’s Rasmussen said. Google suggests consumers use both a password and another proof of identity such as their phone number, although that might open up new vectors for attack.

Consumers should also change their passwords regularly; use different passwords for their different accounts; check their email settings, especially those for forwarding; and assume the bad guys have broken into their accounts and search for evidence of this “every once in a while,” Rasmussen stated.

“Phishing attacks are becoming more targeted,” Top Layer’s Paquette pointed out. “Unless you’ve requested the hyperlink, don’t click on it,” he warned.

It’s not easy for enterprises and government agencies to harden their email systems so that compromised emails don’t infect the IT infrastructure, Top Layer’s Paquette said.

“The compromised website may be so new that there’s no way for the email system to know in advance that it’s malicious,” Paquette pointed out.

However, there are other technologies organizations can use, such as network intrusion prevention systems, that stop the attack even after an infected email has been opened, Paquette said.

1 Comment

  • What are "high profile" users doing using GMail or any free service like that anyway? They are in a position to have private services. USE THEM! Then this would not be such an issue. Free is not always best nor secure. They should know this . . .

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Richard Adhikari
More in Malware

Technewsworld Channels