Hackers Using Gmail Drafts To Steal Information

Hackers Using Gmail Drafts To Steal Information
WDnetStudio / Pixabay

Researchers have discovered a piece of malware which uses a novel form of “command and control” which enables hackers to update the malicious software and retrieve the data that it steals. The commands are tucked away in the Gmail drafts folder, in messages that are never sent, which makes them very hard to detect.

“What we’re seeing here is command and control that’s using a fully allowed service, and that makes it superstealthy and very hard to identify,” says Wade Williamson, a researcher at Shape Security. “It’s stealthily passing messages back and forth without even having to press send. You never see the bullet fired.”

Gates Capital Management Reduces Risk After Rare Down Year [Exclusive]

Gates Capital Management's ECF Value Funds have a fantastic track record. The funds (full-name Excess Cash Flow Value Funds), which invest in an event-driven equity and credit strategy, have produced a 12.6% annualised return over the past 26 years. The funds added 7.7% overall in the second half of 2022, outperforming the 3.4% return for Read More

The methodology to infect Gmail

First of all the hacker set up an anonymous Gmail account, before infecting a machine on the target’s network with the malware. The malicious software allowed the hacker to gain control of the machine, and they then opened the Gmail account in an invisible instance of Internet Explorer. Windows programs are able to run the web browser without the user even knowing that a webpage is open.

The hacker was able to open the Gmail drafts folder, with the user still completely unaware. The malware then used a Python script to retrieve instructions from the draft field, which the hacker was able to remotely update. The malware was able to respond to the hacker through the same draft field, passing acknowledgements of instructions and sensitive data back to the hacker.

In order to hide itself from anti-virus software, all of the information communicated between the hacker and the malware is encrypted.

A widespread problem?

Shape has since admitted that it has no idea how many computers may be infected with the virus, which it says is a variant of a remote access trojan (RAT) called Icoscript that was first discovered in August.

The German security firm G-Data, which discovered the virus, claims that Icoscript has been around since 2012, and started out by using Yahoo Mail emails. There are concerns that switching to Gmail has made it even harder to detect, and the onus now falls on Google to better protect its users from automated malware.

While studying economics, Brendan found himself comfortably falling down the rabbit hole of restaurant work, ultimately opening a consulting business and working as a private wine buyer. On a whim, he moved to China, and in his first week following a triumphant pub quiz victory, he found himself bleeding on the floor based on his arrogance. The same man who put him there offered him a job lecturing for the University of Wales in various sister universities throughout the Middle Kingdom. While primarily lecturing in descriptive and comparative statistics, Brendan simultaneously earned an Msc in Banking and International Finance from the University of Wales-Bangor. He's presently doing something he hates, respecting French people. Well, two, his wife and her mother in the lovely town of Antigua, Guatemala.
Previous article Slow Global Growth Hitting Small-Cap Cyclical Stocks
Next article HP Is Moving Into 3D Printing; Unveils Faster 3-D Printer

No posts to display