Security news that informs and inspires

Google Cracks Down on Domains Used by Hack-For-Hire Groups

By

Hack-for-hire firms are targeting a range of accounts from Google and major webmail providers in credential theft campaigns.

Google has applied its Safe Browsing protection feature to more than 30 domains linked to several hack-for-hire operations. The feature blocks dangerous websites and gives users a warning notification when they attempt to navigate to the site.

These hack-for-hire firms have been targeting a range of accounts, including Gmail and AWS accounts, in order to carry out corporate espionage attacks against firms, as well as campaigns that target human rights and political activists, journalists and other high-risk users worldwide. These hack-for-hire companies have been steadily increasing over the past few years, according to an October report by the United Nations Office of High Commissioner for Human Rights. Rather than selling services that end users must then operate, as commercial surveillance vendors do, hack-for-hire operators conduct the attacks themselves on behalf of organizations or individuals who might lack the capabilities to do so on their own, typically leveraging known vulnerabilities in order to compromise targets’ accounts with the end goal of exfiltrating sensitive data.

“The breadth of targets in hack-for-hire campaigns stands in contrast to many government-backed operations, which often have a clearer delineation of mission and targets,” said Shane Huntley, director of the threat analysis group with Google, in a Thursday analysis. “A recent campaign from an Indian hack-for-hire operator was observed targeting an IT company in Cyprus, an education institution in Nigeria, a fintech company in the Balkans and a shopping company in Israel.”

Researchers highlighted a previously known Russian hack-for-hire group called Void Balaur that has targeted journalists, politicians and various NGOs and non-profit organizations in and around Europe, including a prominent Russian anti-corruption journalist hit by a 2017 credential phishing campaign. Over the past five years, researchers said they observed the group targeting accounts at major webmail providers including Gmail, Hotmail, and Yahoo!, as well as regional webmail providers like abv.bg, mail.ru, inbox.lv, and UKR.net.

“What stuck out during this investigation was the breadth of targeting, which also included individuals that had no affiliation with the selected organizations, and appeared to be regular, everyday citizens in Russia and surrounding countries,” said Huntley.

Void Balaur sent credential phishing emails pretending to be notifications from Gmail and other webmail providers, or spoofing Russian government organizations. Once targets clicked a link and were led to an attacker-controlled phishing page, attackers maintained persistence by granting an OAauth token to a legitimate email application like Thunderbird or generating an App Password in order to access the account via IMAP - two methods that can be revoked if users change their password, according to Google.

“The hack-for-hire landscape is fluid, both in how the attackers organize themselves and in the wide range of targets they pursue in a single campaign at the behest of disparate clients."

Another set of hack-for-hire actors based out of India, which has been tracked by Google TAG since 2012, targeted government, healthcare and telecom victims in Saudi Arabia, the United Arab Emirates and Bahrain with credential phishing attacks that have focused specifically on AWS accounts and Gmail accounts.

“TAG has linked former employees of both Appin and Belltrox to Rebsec, a new firm that openly advertises corporate espionage as an offering on its company website,” said Huntley.

Finally, Google tracked a hack-for-hire group based in the United Arab Emirates that has targeted government, education and political organizations in the Middle East and North Africa. The group used the MailJet or SendGrid API to send credential-stealing phishing emails with Google or OWA password reset lures. After the account was compromised, the attacker then granted an OAauth token to legitimate email applications like Thunderbird or linked the victim’s Gmail account to an attacker-owned account on a third-party mail provider, and then used a custom tool to download the mail contents via IMAP.

“Unlike many hack-for-hire actors that use open source phishing frameworks like Evilginx or GoPhish, this group uses a custom phishing kit that utilizes Selenium, a self described 'suite of tools for automating web browsers,'” said Huntley. “Previously described by Amnesty, this phishing kit has remained under active development over the past five years.”

Google said that all websites and domains identified in these campaigns were added to its Safe Browsing feature to protect users from further harm, and it has shared all relevant details with law enforcement. However, researchers have previously said that defending against hack-for-hire groups “is not an easy task.” Potential victims can protect themselves through a variety of ways, including the use of multi-factor authentication (MFA) for email and social media accounts, the use of apps with end-to-end encryption, and the use of “robust” email services from a reputable provider, researchers with Trend Micro have previously noted.

“The hack-for-hire landscape is fluid, both in how the attackers organize themselves and in the wide range of targets they pursue in a single campaign at the behest of disparate clients,” said Huntley. “Some hack-for-hire attackers openly advertise their products and services to anyone willing to pay, while others operate more discreetly selling to a limited audience.”