Hackers are Using Gmail Drafts to hide Malwares and Steal Data

In the world tech, delete does not necessarily mean delete. Similarly, Gmail draft folder is not necessarily for storing unsent mails, reports by a security startup, Shape security unearthed a ploy by hackers to hide an innocent looking malware in the draft folder for stealing data from victim’s computer.

According to researchers at shape security , who discovered the malicious program in a client’s computers system, the malware uses a “command and control” communication channel that allow the hacker to remotely update the malware and steal data from the victims system. Burying the malware in the drafts folders makes it difficult to detect.

“What we’re seeing here is command and control that’s using a fully allowed service, and that makes it super stealthy and very hard to identify,” says Wade Williamson, a security researcher at Shape. “It’s stealthily passing messages back and forth without even having to press send. You never see the bullet fired.”

For a successful attack, the hacker first creates an anonymous Gmail account, then infects the target computer with the malware, allowing them to gain full control of the victim’s computer. The attacker then opens their anonymous Gmail account on the compromised machine in invisible instance in Internet Explorer.

Researchers also observed that the malware is programmed to allow Internet Explorer to query webpages without the knowledge of the victim. It uses a Python script to retrieve commands and codes left by the hacker in a draft mail on anonymous Gmail account which is open but hidden to the unsuspecting victim. The malware then executes the commands and pastes the requested information on the draft field for retrieval by hacker.

Typically, hackers exploit vulnerabilities in internet protocols such as IRC of HTTP protocols to control and distribute malwares. This change of tact from more sophisticated techniques to using simple and unsusceptible methods such Gmail service allows the hacker to lay low for a long time and steal huge chunks of data.

According to Williamson, the current malware is an advancement of a Remote Access Trojan (RAT) known as Icoscript discovered by German researchers at G-Data security firm in August. Icoscript, discovered in Yahoo mail service used a similar command and control channel to steal information from the victim’s computer and remained undetected for a long time.

The scope and extent of the attacks is unclear but security experts from both G-Data and Shape security agree that malwares of this nature are limited to targeted attacks which may not be widespread.

Security experts have warned that diagnosing for the malware maybe a nightmare for victims and called on Google to fortify their system to keep off the automated malwares. Google is yet to release an official statement on the malware.

However, while responding to an email from WIRED, Google’s Spokesman, assured clients that the tech giant was extra vigilant on malicious activities on its service. “Our systems actively track malicious and programmatic usage of Gmail and we quickly remove abusive accounts we identify,” said google spokesman.

Top/Featured Image: By  Google / Wikipedia (https://commons.wikimedia.org/wiki/File:Gmail_logo.png)

Ali Qamar Ali Qamar is a seasoned blogger and loves keeping a keen eye on the future of tech. He is a geek. He is a privacy enthusiast and advocate. He is crazy (and competent) about internet security, digital finance, and technology. Ali is the founder of PrivacySavvy and an aspiring entrepreneur.
Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.