Incidents

Mass hack attack or a Gmail bug?

For over a week users of Gmail have been exchanging stories about incidents of email accounts being compromised and the uncontrolled distribution of spam, trying to guess what’s behind this strange epidemic.

The spam mailings are being sent from hacked accounts to addresses that the account owners have communicated with – these are primarily addresses from the contact list. There is no message subject and the body contains nothing more than a link to an online drug store in the .co.cc domain. This is a redirect to the recently registered website mrapgyan.net which, incidentally, doesn’t work. A copy of the message is saved to the “Sent Mail” folder just like any other sent message, and sometimes it can be found in the “Trash” folder. Some of the messages don’t make it to their recipients and remain flagged as undelivered.

It turns out that every time the spammers connected to someone’s account they did so via a mobile interface and most probably using bots. The IP addresses used to gain unauthorized access were in locations dotted around the world – the USA, Western Europe, the Middle East, Asia, Africa…

It’s worth pointing out that the cybercriminals only used their victims’ contacts to send out spam – they didn’t modify passwords to email accounts and didn’t delete any messages or contact lists.

It remains to be seen what connects all the victims. Active accounts were targeted as well as those that have lain dormant for some time. Password strength and the presence or type of antivirus solution also appears to play no role. No malware was found on the majority of affected computers. The operating systems also varied, with XP, Windows 7, Windows Vista, Mac OS, and various versions of Linux in combination with browsers such as IE, Firefox, Opera, and Chrome.

The number of compromised accounts has not been determined. Google is keeping quiet for the moment – they are supposedly investigating. In the meantime, all users of Gmail are advised to check their recent account activity, change their passwords, unclick the “Stay signed in” box on all their computers and sign out when a session ends.

PS from Sergey Golovanov:

The domain mrapgyan.net, which is where the link in the spam message redirects to, was registered with directions to:

DNS1: ns1.u7d.ru
DNS2: ns2.pharmacyhealthmedsnow.eu
(http://www.robtex.com/dns/mrapgyan.net.html#whois)

What does that mean?
Well, virus analysts know that three-character domains of [letter][number][letter] are linked to the spread of Bredolab. And pharmacyhealthmedsnow.eu obviously points to spam advertising medications.

Mass hack attack or a Gmail bug?

Your email address will not be published.

 

Reports

The SessionManager IIS backdoor

In early 2022, we investigated an IIS backdoor called SessionManager. It has been used against NGOs, government, military and industrial organizations in Africa, South America, Asia, Europe, Russia and the Middle East.

APT ToddyCat

ToddyCat is a relatively new APT actor responsible for multiple sets of attacks against high-profile entities in Europe and Asia. Its main distinctive signs are two formerly unknown tools that we call ‘Samurai backdoor’ and ‘Ninja Trojan’.

WinDealer dealing on the side

We have discovered that malware dubbed WinDealer, spread by Chinese-speaking APT actor LuoYu, has an ability to perform intrusions through a man-on-the-side attack.

APT trends report Q1 2022

This is our latest summary of advanced persistent threat (APT) activity, focusing on events that we observed during Q1 2022.

Subscribe to our weekly e-mails

The hottest research right in your inbox