After last month’s brief domain suspension of Zoho—which resulted from an insufficient response to reported phishing abuse— Cofense Intelligence™ has uncovered Zoho’s connection to an extremely high number of keylogger phishing campaigns designed to harvest data from infected machines. Of all Keyloggers analysed by Cofense, 40% used a zoho.com or zoho.eu email address to exfiltrate data from victim machines.
On September 25th, Zoho, the Indian software company which offers an online office suite, had its domain taken down briefly by its registrar, TierraNet, following reports of phishing originating from one of Zoho’s services. The resultant outage affected Zoho’s 30M+ userbase and numerous services.
Despite being subject to media scrutiny and aggressive registrar actions, Zoho is hardly the only victim of platform abuse. Many trojans and keyloggers have abused popular platforms to support credential theft. As highlighted in a recent CofenseTM blog, the Geodo malware leverages stolen credentials across hundreds of platforms – SaaS, ESPs, and private mail servers alike. Gmail, Outlook.com, Yandex, and Yahoo are frequent victims. Now, Cofense Intelligence has confirmed that Zoho-owned domains (both zoho.com and zoho.eu) are enabling roughly 40% of all keylogger data theft where email is the primary exfiltration vehicle.
Keyloggers, at the most basic level, are a class of malware that record the input from some type of Human Interface Device (HID). Fundamentally, this would involve recording every key pressed down by a user on their keyboard. Modern iterations of this malware take these actions significantly further, expanding the set of target peripherals and services to:
- Screen capture (image and recording)
- Clipboard monitoring and manipulation
Many keyloggers – such as Agent Tesla and Hawkeye – have added ‘Stealer’ capabilities to their portfolio. This noxious mix of capabilities gives these families the ability to capture data both in real-time and retroactively, from vaults, wallets, caches and configs. Naturally, this begs the question: once the data has been stolen, serialized and prepared, where does it go? Either to a panel or, more commonly, to a compromised email account.
There are many ways threat actors, and by extension their malicious creations, can abuse the aforementioned mailing services and systems:
- Registering accounts for the sole purpose of distributing unwanted mail
- Credential theft
- Open-relay abuse
Credential theft or misappropriation is a critical part of any malicious activity involving email, whether for data exfiltration or proliferation.
2018: The Year in Keystrokes
In July, Microsoft released a report detailing a resurgence of Hawkeye. Cofense Intelligence has tracked a similar trend across several families of Keyloggers. Chart 1 details the year-to-date activity of Keyloggers distributed via phishing campaigns.
Chart 1: A clear and distinct rise in the keylogger activity throughout 2018
Cofense Intelligence data concurs with the findings of Microsoft and the greater security community: campaigns serving Hawkeye have been steadily increasing since July.
Hawkeye, Agent Tesla and many other keyloggers can be configured to use either web panels or email to exfiltrate their data. Chart 2 is a details exfiltration method across keyloggers tracked by Cofense Intelligence.
Chart 2: A breakdown of Exfiltration methods used by Agent Tesla and Hawkeye. Note: IP, Domain and URL could be combined into a single ‘HTTP’ category.
It’s clear, then, that Keyloggers overwhelmingly favour email to all other exfiltration methods combined. Chart 3 shows a breakdown of domains abused by the analyzed keyloggers to facilitate data theft.
Chart 3: Top 10 Email domains abused by analysed Keyloggers. Note that ‘Other’ encompasses more than 60 other domains
The reason for threat actors overwhelmingly abusing Zoho is unclear, but minimal security process enforcements – optional 2FA (not enforced), activity monitoring, etc. – combine with user susceptibility to create fertile ground.
Zoho is a cautionary example.
Zoho’s abuse should serve as a guide of what not to do in email security. Multi-factor authentication should be compulsory, as should active scanning of outbound messages. More advanced behavioural analytics can send early alerts to mail admins – whether administrating a SaaS product or the mail server of an enterprise – allowing them to respond quickly. Robust intelligence can also greatly assist with identifying victims of account compromise.
For a look back and a look forward at malware and phishing trends, read the 2018 Cofense Malware Review.
UPDATE 10/10/2018, We have been contacted directly by representatives of Zoho Mail who provided us an official statement from their CEO. You can read the full statement below:
“Unfortunately, phishing has become one of the bad side-effects of Zoho’s rapid growth, especially the growth of our mail service. Since Zoho Mail offers the most generous free accounts, this gets exacerbated as more malicious actors take advantage of this massive customer value. But we are clamping down on this heavily.
We are examining all accounts, especially free ones since this is where most of the abuse appears to be happening. We are now mandating verification using mobile numbers for all accounts, including free ones. We are actively looking at suspicious login patterns, and blocking such users, particularly for outgoing SMTP.
We are also tightening our policies for all users. We have recently revised and changed our policy around SPF (sender policy framework) and implemented DKIM (domain key identified mail) for our domain. This will result in a solid DMARC policy that we will also publish.” – Sridhar Vembu, founder and CEO of Zoho
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.