Buzz
In case you're unfamiliar, a Keylogger is a form of malicious software silently tracking a victim's computer and gathering account information, commercial transactions, or monitoring user behaviors.
Keyloggers can monitor and record what users type on the keyboard, capture webcam footage and microphone, take screenshots of active windows, and execute other malicious activities. Subsequently, this information is collected and directly sent to a server under the attacker's control or compiled into emails and dispatched to the attacker.
If utilizing email as a medium to dispatch stolen data, attackers will rely on free Email accounts to send their emails. According to security provider Cofense's research, up to 40% of keyloggers they analyzed utilize Zoho to send emails containing stolen information from victims' computers.
Responding to BleepingComputer, Cofense stated that the most prevalent keyloggers associated with Zoho include Hawkeye and Agent Tesla. Both these keyloggers compile the stolen data, then utilize mail providers like Zoho to dispatch this data to attackers.
An example in the illustration below is an email containing information gathered by Agent Tesla on browsers and sent back to attackers.
The image below illustrates an email generated by the Hawkeye Keylogger, containing login information it collected from browsers. Similar to the example above, the information in the email has been scrambled.
Cofense additionally notes that attackers can easily access and deploy keyloggers, uploading them to services like Zoho.
'The proliferation of Keyloggers is growing, akin to an explosion of the Malware-as-a-Service model.' 'By abstracting all parts of the malware, notably Admin privileges and configurations, even inexperienced attackers can effortlessly deploy keyloggers. If Phishing-as-a-Service also exists, attackers would be able to download endpoint malware without needing to run a single command,' explained Cofense.
Attackers target Zoho for several reasons. Firstly, it's a SaaS solution. Cloud-based solutions are prime targets for attackers due to the sheer volume and demographics of end users.
For example, if a platform has 30 million users, just a small percentage of accessed accounts will invisibly provide a foothold for attackers to control and take further steps.
Furthermore, this service also lacks stringent security enforcement and implementation, with account creation processes being quite lax, posing higher risks.
Zoho's Actions
Regarding Zoho's stance, the company stated it will enact new policies that all free Zoho.com accounts must adhere to.
Below are some policies the company is implementing during the delegation of free @zoho.com accounts:
- Mandate mobile phone verification for all users registering new accounts.
- Change SPF for zoho.com to 'hard fail' so that emails with uncertain origins from Zoho servers are marked as spam on user servers. Detailed user access information Here
Additionally, the company is planning to implement DKIM for the zoho.com domain and release DMARC policies.
- Block free users from logging into suspicious accounts, especially using SMTP, to ensure users don't exploit Zoho email IDs for malicious purposes.
The company stated that new algorithms have been enhanced to thwart suspicious login attempts in recent days. Although Zoho Mail supports the two policies listed above, along with activating TFA terms, deploying these policies for @zoho.com users could pose several issues in cases where they're legitimate users, so the company still doesn't mandate user compliance with these policies.
If TFA alone is activated, it's ineffective because users can still create app-specific passwords and use these passwords for automatic dispatch. TFA only helps prevent unauthorized access to user accounts.
Responding to BleepingComputer, Zoho's CEO, Sridhar Vembu, stated that the company is focusing on preventing this type of abuse: 'Unfortunately, phishing has been one of the side effects following Zoho's development over the past few years, particularly the growth of our mail service. The company is also striving to limit these abuses.'
'Firstly, the company will conduct checks on all accounts, especially free accounts as these are the most abused. We're currently authorizing account verification by verifying mobile phone numbers for all accounts, including free ones. Additionally, the company is reviewing and blocking suspicious login attempts, especially those sent via SMTP logins.
The next step for the company is to enhance and tighten policies for all users. Recently, the company has amended and modified SPF policies while implementing DKIM for the company's domain.
Additionally, the company is experimenting with heuristic methods and other algorithms before applying them on a larger scale. We apologize for not discussing this content in detail.
Zoho Doc is a well-known tool from Zoho. You can download, install, and experience this tool on your device. Download Zoho Doc here
According to the latest information, Facebook has increased the time for permanently deleting Facebook accounts from 14 days to 30 days, giving users more time to decide whether to permanently delete their accounts or not. For details, you can read more in the article Facebook accounts will be permanently deleted after 30 days here
