Cofense Research Reveals Extensive Abuse of Zoho Email by Keyloggers

New research from Cofense has revealed there has been a significant rise in keylogger activity in 2018 which backs up research conducted by Microsoft that showed the resurgence of a keylogger known as Hawkeye.

Keyloggers are information-stealing malware that log keystrokes on a computer and other input from human interface devices (HUDs) such as webcams and microphones. Many modern keyloggers are also able to copy information from the clipboard and take screenshots. Their aim is to obtain login credentials, passwords, and other sensitive information.

That information is recorded but must then be transferred back to the attackers without being detected. There are various methods that can be used to receive the stolen data. The information can be sent to an IP, Domain, or URL, but one of the most common ways keyloggers exfiltrate data is via email.

The individuals that use keyloggers register free email accounts to receive the stolen information, and Cofense has discovered that the largest single email provider used to receive keylogger data is Zoho, the Indian provider of online office suite software. After studying the destination of information stolen by keyloggers, Cofense discovered that 39% of emails went to Zoho accounts, compared to 7% that were sent to Yandex accounts, the second most commonly abused email platform.

The reason why keyloggers are using Zoho is not abundantly clear, although Cofense researchers suggest it is the lack of security controls that make the email service popular. For instance, 2-factor authentication is available for Zoho email accounts, but it is not mandatory. Email accounts can be opened free of charge and there are relatively few controls over who can open an account. Cofense notes that the account registration process would be easy to automate with a simple script and that there is no need to use a mobile phone for verification.

The report is more bad news for Zoho, which was recently temporarily taken offline by its registrar following reports that one of its services was being abused and used for phishing causing an outage for its 30 million+ users.

Zoho has now responded to the report and has announced that it is taking steps to prevent abuse of its email service and will soon require all new accounts to include a mobile phone number for verification, including its free accounts. Zoho will also step up its efforts to monitor outgoing SMTP and will be looking for suspicious login patterns and will block users who appear to be abusing its service.

“We are also tightening our policies for all users. We have recently revised and changed our policy around SPF (sender policy framework) and implemented DKIM (domain key identified mail) for our domain. This will result in a solid DMARC policy that we will also publish,” said Sridhar Vembu, founder and CEO of Zoho.

Vembu also explained that it is not the only cloud service provider that is targeted in this fashion, ““Unfortunately, phishing has become one of the bad side-effects of Zoho’s rapid growth, especially the growth of our mail service. Since Zoho Mail offers the most generous free accounts, this gets exacerbated as more malicious actors take advantage of this massive customer value. But we are clamping down on this heavily.”

Author: NetSec Editor