Cofense Study Discloses Extensive Misuse of Zoho Email by Keyloggers

Latest research from Cofense has shown there has been a substantial increase in keylogger activity in 2018 which backs up research carried out by Microsoft that indicated the revival of a keylogger known as Hawkeye.

Keyloggers are information-stealing malware that record keystrokes on a computer and other input from human interface devices (HUDs) such as microphones and webcams. A lot of modern keyloggers are also capable to copy information from the clipboard and take screenshots. Their purpose is to get login identifications, passwords, and other confidential information.

That information is recorded but should then be transmitted back to the attackers without being noticed. There are different methods that can be used to get the thieved data. The information can be conveyed to an IP, Domain, or URL, but one of the most usual ways keyloggers exfiltrate data is through electronic mail.

The people that use keyloggers register free electronic mail accounts to receive the thieved information, and Cofense has found that the biggest single electronic mail provider used to get keylogger data is Zoho, the Indian supplier of online office suite software. After reviewing the terminus of information thieved by keyloggers, Cofense found that 39% of electronic mails went to Zoho accounts, compared to 7% that were sent to Yandex accounts, the second most usually misused electronic mail platform.

The purpose why keyloggers are using Zoho is not abundantly obvious, even though Cofense scientists propose it is the lack of safety controls that make the electronic mail facility popular. For example, 2-factor verification is available for Zoho electronic mail accounts, but it is not compulsory. Electronic mail accounts can be opened free of charge and there are comparatively few controls over who can open an account. Cofense notes that the account registration procedure would be easy to automate with an easy script and that there is no requirement to use a mobile phone for confirmation.

The statement is more bad news for Zoho, which was lately provisionally taken offline by its registrar after reports that one of its facilities was being exploited and used for phishing producing an outage for its 30 million+ users.

Zoho has now replied to the report and has declared that it is taking measures to avoid misuse of its electronic mail facility and will soon need all new accounts to include a mobile phone number for confirmation, including its free accounts. Zoho will also boost its efforts to check outgoing SMTP and will be looking for doubtful login patterns and will stop users who seem to be misusing its facility.

“We are also narrowing our rules for all users. We have lately reviewed and improved our policy around SPF (sender policy framework) and applied DKIM (domain key identified mail) for our domain. This will bring about a solid DMARC policy that we will also publish,” said Sridhar Vembu, creator and CEO of Zoho.

Vembu also clarified that it’s not the only cloud facility supplier that is aimed in this way, “ Unluckily, phishing has become one of the bad side-effects of Zoho’s fast progress, particularly the progress of our mail facility. Since Zoho Mail offers the most generous free accounts, this gets worsened as more malevolent actors take benefit of this huge customer value. However, we are clamping down on this severely.”