Gmail Downtime Exposes Attempts To Distribute Malicious Files And Phishing Attacks
During the Gmail downtime experienced yesterday cybercriminals managed to squeeze in an attempt to distribute malicious files to unknowing users. During the downtime, searches for the string “gmail down” yielded a Google Group page also named Gmail down as the top result. The page was found displaying a banner with images related to pornography, which then pointed to a pornographic website. According to Trend Micro Researcher Loucif Kharouni, links in the said webpage also lead to malicious files.
The link “Really young good looking teenager-547b4.html” redirects to two different URLs. First, the URL hxxp:// {BLOCKED}worldx.com/software/f352d5ac52/10410/1/Setup.exe prompts the download of a file detected as TROJ_PROXY.AEI. TROJ_PROXY.AEI drops two files—a BAT file and a DLL file. The BAT file is used to load the DLL file, which in turn modifies the registry entries related to proxy server settings. This causes the results to user queries to be redirected to remote sites mostly related to advertising.
The second URL, hxxp:// {BLOCKED}cktube.com/new/n/Exclusive+Free+porno/3913744, leads to the download of a malicious file detected as TROJ_AGENT.FAKZ. The link “The Dark Knight torrent.zip” leads to the download of the BAT file main_movie_torrent.bat. The said file modifies the attributes of the following files: c:autoexec.bat, c:boot.ini, c:ntldr, c:windowswin.ini.
It displays a popup message stating “Virus Activated,” then deletes the abovementioned files, which are all critical files related to loading Windows. After doing so, another pop-up message is displayed, this time stating “Computer Over. Virus=Very Yes.” The computer will then shut down after 10 seconds, and will no longer be able to boot into the operating system. This file is now being studied for detection. Please stand by for updates.
The said Google Group was already deleted, and was reported up for about 25 minutes. This incident serves proof of how keen cybercriminals’ instincts can get in seeing opportunites to distribute their malicious files.
Hours after the blackout, Gmail users were also hit with a widespread phishing attack. The malicious message spread via the Google Talk instant messaging chat system, urging users to a video by clicking on a link connected via the TinyURL service. The link points to a website called ViddyHo, which invited users to submit their Gmail usernames and passwords. The attack was more plausible because malign messages came via the instant chat system built into Gmail rather than by email directly.
TinyURL has blacklisted the site, rendering the attack inert, but that action is too late for those duped by the ruse, who now need to act quickly. “If you think you might have been duped, make sure you change your Gmail password immediately otherwise your entire address book and all your correspondence, including information that you may have archived about other online accounts, will quickly become rich pickings for the hackers,” warned Graham Cluley, senior technology consultant at Sophos.
Victims were urged to change their passwords before hackers have a chance to abuse their webmail account.
Credit: JM Hipolito, Technical Communications, TrendMicro
Credit: Graham Cluley, Sophos
More on CyberInsecure:
Leave a Reply
Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.