Intruders Use Draft Email Messages for Attacks

By

New technique circumvents defenses by avoiding conventional network traffic.

According to a recent report in Wired Magazine, the security firm Shape Security has discovered a new attack method that uses draft email messages to send commands to a compromised system. Most network security systems watch closely for command and control messages that might indicate an attack underway. By hiding the commands in email drafts, the attackers circumvent defense techniques that monitor TCP/IP traffic, and they even avoid defenses that look for attacks through regular email delivery.
Versions of the attack use a webmail system, such as Gmail. The attacker first installs Python on a compromised system and configures it to run scripts saved in the mail draft folder. After that, the attacker just needs to log in to the mail account and save a script within a draft message. When the account is accessed from the client, the script executes. Because the attack is triggered through an ordinary service that does not leave a trace of clandestine activity, it is very difficult to discover. This attack is apparently a variant of the Icoscrript attack, which was discovered last summer.
Wired points out that this attack is oddly reminiscent of the behavior of US Army General David Patraeus and his former lover Paula Broadwell, who apparently used the draft folder in a shared Gmail account to send each other secret love notes.   

11/11/2014

Related content

  • Targeted attacks on companies
    Watering hole and spear phishing targeted attacks offer the greatest rewards to cybercriminals. Here's how to protect your company from these types of attacks.
  • Stopping Side Channel Attacks

    Sometimes error messages or log entries are too verbose for their own good, disclosing valuable information to attackers.

  • OpenCanary attack detection
    The canary in a coal mine has made its way metaphorically into IT security with the OpenCanary honeypot for detecting attacks.
  • Tricking Intruders with HoneypotMe

    A honeypot is a specialized security tool that pretends to be an ordinary system to attract and identify attackers. Experienced intruders, however, are not so easily fooled. An experimental new technology known as HoneypotMe moves honeypot functionality to real systems on the production network.

  • Cyber security for the weakest link
    The balance between IT threats and IT security is woefully unbalanced in a Windows environment, requiring the enforcement of company-wide security standards.
comments powered by Disqus