Researchers have uncovered a keylogger phishing campaign which abuses Zoho in order to spread and exfiltrate data from victim devices.
On Tuesday, security researchers from Cofense said that Zoho, a web-based office suite and email provider, is being abused by phishers and fraudsters on a massive scale.
The Indian company’s domain was suspended briefly in September, the researchers said in a blog post. This was due to an “insufficient response” to the reported abuse.
Zoho’s registrar, TierraNet, took down the domain, seemingly surprising Zoho with the move — to the point that the company took to Twitter to plead for help in resuming service.
At the time of the suspension, Zoho CEO Sridhar Vembu said:
“There were a total of 3 complaints in 2 months and we took action on 2 of them immediately and one is pending investigation. We serve 40 million users. 3 complaints in 2 months.”
TierraNet’s abrupt blockade of the service not only impacted Zoho itself but millions of customers in one fell swoop. Zoho’s CEO outlined plans for the company to “be a domain registrar ourselves” to prevent the situation from happening again.
Now restored, Zoho services are once again being used for keylogger-based phishing campaigns, Cofense says.
The software platform’s email address service, on both zoho.com and zoho.eu domains, is being exploited in 40 percent of phishing campaigns in which email “is the primary exfiltration vehicle.”
Other victim domains include outlook.com, yandex.com, and gmail.com.
“The reason for threat actors overwhelmingly abusing Zoho is unclear, but minimal security process enforcements — optional 2FA (not enforced), activity monitoring, etc. — combine with user susceptibility to create fertile ground,” the researchers say.
Keyloggers are defined as malware families which have been given the capability to monitor keystrokes and input from Human Interface Devices (HIDs). The malware may also be able to conduct clipboard monitoring and screen capture.
When a compromised PC is used by an individual to access their email account, for example, the malware is able to record the keys pressed on a keyboard.
Many forms of keylogger, including Agent Tesla and Hawkeye, are given bolt-on stealer capabilities and are distributed as part of wider malware packages or exploit kits. Information compromised by the malicious code may then be sent to the malware’s command-and-control (C2) server, controlled by an attacker, who can then use the data to access the account.
TechRepublic: 8 steps to take within 48 hours of a data breach
Zoho may account for over a third of the email addresses used, but the company is not the only email service provider being targeted.
In August, Cofense revealed the existence of a campaign spreading the Geodo malware, a banking Trojan, which leveraged stolen credentials from platforms including Gmail, Outlook.com, Yandex, and Yahoo.
ZDNet has reached out to Zoho and will update if we hear back.