Zoho domains central to keylogger, data theft campaigns worldwide

[nir]

The Indian online office suite is reportedly being abused on a massive scale to exfiltrate data from compromised machines.

 

Researchers have uncovered a keylogger phishing campaign which abuses Zoho in order to spread and exfiltrate data from victim devices.

 

On Tuesday, security researchers from Cofense said that Zoho, a web-based office suite and email provider, is being abused by phishers and fraudsters on a massive scale.

 

The Indian company's domain was suspended briefly in September, the researchers said in a blog post. This was due to an "insufficient response" to the reported abuse.

 

Zoho's registrar, TierraNet, took down the domain, seemingly surprising Zoho with the move -- to the point that the company took to Twitter to plead for help in resuming service.

 

At the time of the suspension, Zoho CEO Sridhar Vembu said:

 

"There were a total of 3 complaints in 2 months and we took action on 2 of them immediately and one is pending investigation. We serve 40 million users. 3 complaints in 2 months."

TierraNet's abrupt blockade of the service not only impacted Zoho itself but millions of customers in one fell swoop. Zoho's CEO outlined plans for the company to "be a domain registrar ourselves" to prevent the situation from happening again.

 

Now restored, Zoho services are once again being used for keylogger-based phishing campaigns, Cofense says.

 

The software platform's email address service, on both zoho.com and zoho.eu domains, is being exploited in 40 percent of phishing campaigns in which email "is the primary exfiltration vehicle."

 

Other victim domains include outlook.com, yandex.com, and gmail.com.

 

"The reason for threat actors overwhelmingly abusing Zoho is unclear, but minimal security process enforcements -- optional 2FA (not enforced), activity monitoring, etc. -- combine with user susceptibility to create fertile ground," the researchers say.

 

Keyloggers are defined as malware families which have been given the capability to monitor keystrokes and input from Human Interface Devices (HIDs). The malware may also be able to conduct clipboard monitoring and screen capture.

 

When a compromised PC is used by an individual to access their email account, for example, the malware is able to record the keys pressed on a keyboard.

 

Many forms of keylogger, including Agent Tesla and Hawkeye, are given bolt-on stealer capabilities and are distributed as part of wider malware packages or exploit kits. Information compromised by the malicious code may then be sent to the malware's command-and-control (C2) server, controlled by an attacker, who can then use the data to access the account.

 

Zoho may account for over a third of the email addresses used, but the company is not the only email service provider being targeted.

 

In August, Cofense revealed the existence of a campaign spreading the Geodo malware, a banking Trojan, which leveraged stolen credentials from platforms including Gmail, Outlook.com, Yandex, and Yahoo.

 

ZDNet has reached out to Zoho and will update if we hear back.

 

Source

[DKT27]

Topic moved to Security and Privacy News. Suits better here.

 

Sad to hear this. They are investing so much money in advertising here, they need to invest more in security instead I think.

[steven36]

3 hours ago, DKT27 said:

Sad to hear this. They are investing so much money in advertising here, they need to invest more in security instead I think.

What do you do  it's not like it's just a problem with Zahoo  ? I was reading it from the source yesterday.

 

It said 

Quote

 

After last month’s brief domain suspension of Zoho—which resulted from an insufficient response to reported phishing abuse— Cofense Intelligence™ has uncovered Zoho’s connection to an extremely high number of keylogger phishing campaigns designed to harvest data from infected machines. Of all Keyloggers analysed by Cofense, 40% used a zoho.com or zoho.eu email address to exfiltrate data from victim machines.

 

On September 25^th, Zoho, the Indian software company which offers an online office suite, had its domain taken down briefly by its registrar, TierraNet, following reports of phishing originating from one of Zoho’s services. The resultant outage affected Zoho’s 30M+ userbase and numerous services.

 

Despite being subject to media scrutiny and aggressive registrar actions, Zoho is hardly the only victim of platform abuse. Many trojans and keyloggers have abused popular platforms to support credential theft. As highlighted in a recent Cofense^TM blog, the Geodo malware leverages stolen credentials across hundreds of platforms – SaaS, ESPs, and private mail servers alike. Gmail, Outlook.com, Yandex, and Yahoo are frequent victims.  Now, Cofense Intelligence has confirmed that Zoho-owned domains (both zoho.com and zoho.eu) are enabling roughly 40% of all keylogger data theft where email is the primary exfiltration vehicle.

 

https://cofense.com/staggering-amount-stolen-data-heading-zoho-domains/

Its not like  people who use there email is at  risk , This is the same thing as when IPs  get banned when using a vpn or proxy because some bad actors are using the service the only thing they can do is get a new ip and it's just a matter of time before it happens again . I seen Google block Nsaneforums before because someone posted a image from a blacklisted site.   You cant stop people from using email  ..  Most of the time there and investigation is going on, the email provider are handing info over too the cops and sooner or latter they get caught, because the emails there using are not even privacy centric there main stream emails and there using all of them for phishing campaigns that's how they spread it, they send you a email from some other email.

 

If they didn't have emails to send it from they be no  email ransomware , malware or spam ..  The worse Viruses ever made  were sent out from a email service  its been around almost as long as emails have.   No email is going to really protect you unless  they bin it in spam  , its best to use conman sense and dont click on spam emails. So them posting it only thing it does is warn you to be wary of phishing campaigns .. it's no magic cure for a problem that is old as emails  , Antivirus can scan emails if they have the signature. By the way Zoho Free have less ads than any of them  because they have a bunch of paid users.

 

What i did not like about Cofense report was there not being transparent enough, they didn't report who the other emails are that make up the other %60 Of all Keyloggers,  so they seem to be just targeting Zoho because they got blacklisted by there old registrar..