Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can malware create an email filter?


  • Please log in to reply
12 replies to this topic

#1 GregCLC

GregCLC

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:00 PM

Posted 21 March 2016 - 03:18 PM

I have a client that was having issues with receiving payroll from their bank.  I found a filter created (this is all on a single, isolated station) that deleted all emails from @banksdomain.com.  They use Gmail for Business, and this was last Friday.  I did a quick Malwarebytes scan and didn't find anything that caught my attention.  Today I get a call that they had an unauthorized transfer from their bank account.  They immediately contacted their bank's fraud department, and I advised her to change her passwords. They are still in contact with their bank who is looking into where it originated (online/wire transfer) and to who it was transferred to.

 

So my question is, can these two occurrences be related?  Can malware create an email filter in Gmail?  Possibly to delete any notification emails about changes to her bank account? And then run a keylogger (maybe?) to access bank credentials. . .  

 

Thanks,

Greg



BC AdBot (Login to Remove)

 


#2 RolandJS

RolandJS

  • Members
  • 4,533 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin TX metro area
  • Local time:05:00 PM

Posted 21 March 2016 - 03:42 PM

Did the client click anything inside of any email that was not official [from normal bank operations]?  Not interested in "blaming" the client, simply interested in hoping to zero in on, find the errant code, and eliminate any discovered outside-coding/scripting, etc.

 

addendum:  fixed my post, added in an important word left out earlier


Edited by RolandJS, 22 March 2016 - 07:24 AM.

"Take care of thy backups and thy restores shall take care of thee."  -- Ben Franklin revisited.

http://collegecafe.fr.yuku.com/forums/45/Computer-Technologies/

Backup, backup, backup! -- Lady Fitzgerald (w7forums)

Clone or Image often! Backup... -- RockE (WSL)


#3 GregCLC

GregCLC
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:00 PM

Posted 21 March 2016 - 04:01 PM

If it was from their bank it is possible she clicked something.  She is usually very good about not clicking anything that looks 'almost' legitimate.  When we checked her email trash folder, it started on the 11th, right around the time she was supposed to be getting payroll from the bank.  I showed her the process of creating a filter and she had a glazed look over her eyes, I could tell she didn't know how to create filters; I'm certain she didn't make it (intentionally or accidentally). Is it possible it was malware, or do filters have to be manually entered by someone?  Thanks!



#4 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:00 PM

Posted 21 March 2016 - 04:24 PM

Not heard of malware doing this automatically, but cannot prove 100% that it wouldn't be possible. More likely it could be a hack on the Gmail account; make sure the email account itself has the password changed specifically if you haven't already. That does sound rather clever.

 

Double-check that emails weren't set to forward to someone else either, I've seen hacked accounts get that snuck in. It's a separate setting from any filters.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#5 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:08:00 AM

Posted 21 March 2016 - 04:38 PM

Another possibility is the machine has a backdoor and the rule was created manually by a 3rd party. It would also explain the bank site compromise.

 

Might be worth checking for rootkits/banking trojans.



#6 GregCLC

GregCLC
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:00 PM

Posted 21 March 2016 - 05:01 PM

Thanks DemonSlayer, I checked and there were no email forwards. We have changed the password for the bank account, the email account, and the domain account.

TsVk, I will be doing some more malware/rootkit scans this evening, hopefully there is nothing there. . .

Thanks for the responses so far, I am leaning towards a hacked Gmail account like Demonslayer mentioned. Please let me know if anyhting else pops into your collective heads!  Thanks.



#7 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:00 AM

Posted 22 March 2016 - 04:54 PM

I suggest you check the e-mail address with Troy Hunt's site: https://haveibeenpwned.com/

This could tell you if the credentials were stolen and leaked.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#8 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:10:00 AM

Posted 29 March 2016 - 07:05 PM

Yes it can be done in Gmail.

Export or import filters. https://support.google.com/mail/answer/6579?hl=en

Export a filter

At the bottom of the page, click Export.
This will give you a .xml file, which you can edit in a text editor if you'd like.
 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png


#9 k9gardner

k9gardner

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York City
  • Local time:06:00 PM

Posted 15 September 2016 - 09:41 AM

Yes it can be done in Gmail.

Export or import filters. ...

I think your "yes" answer is misleading. Remember, the question was not "can I export and import filters," which is a process that the user would have control over. The question was, "can malware create an email filter," which suggests, to me at least, that we're talking about a process that can run unexpectedly on its own without user involvement. A very different scenario. The reason people are asking this question - I was asking it too, that's what brought me to this site today - is that it appears to be happening! All of a sudden, there are filters in someone's Gmail account that he did not put there and that were not there some time ago. How'd they get there? Is there a way that some rogue message was able to do it by embedding some kind of code in a message? Was it something that he inadvertently clicked on, or that could somehow place them there when he believed he was doing something else? 

I say this question remains unanswered. Most of the answers are leaning toward "no," but the fact remains that it nevertheless does appear to be happening in reality. It's still an open issue.



#10 JohnnyJammer

JohnnyJammer

  • Members
  • 1,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:08:00 AM

Posted 15 September 2016 - 05:54 PM

yes it can easily if Outlook is installed then simply utilizing win32ole and 'Outlook.Application' you can just about anything!

I did a Ruby script years ago that would open emails and extract the attachments if they were a certain word using regex, did all this using Outlook.Application and didnt even need outlook open to achieve the desired results.

Incredibly fast too i might add.



#11 GregCLC

GregCLC
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:00 PM

Posted 15 September 2016 - 05:58 PM

Johnny, do you think the same is possible with Gmail for Business?  We don't use Outlook, nor have it configured.  Is there some type of scripting you know of that could add Gmail filters without user interaction?



#12 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:10:00 AM

Posted 15 September 2016 - 09:13 PM

I think your "yes" answer is misleading. Remember, the question was not "can I export and import filters," which is a process that the user would have control over. The question was, "can malware create an email filter," which suggests, to me at least, that we're talking about a process that can run unexpectedly on its own without user involvement. A very different scenario.


Unfortunately, you're assuming the malware will have a single function, but any account comprimising trojan (malware) will have account extraction, remote access, and command and control.

Gmail introduced their last account activity feature a long time ago. http://www.shoutmeloud.com/your-gmail-is-hacked-crosscheck.html This malware was discovered, Hackers Are Using Gmail Drafts to Update Their Malware and Steal Data. https://www.wired.com/2014/10/hackers-using-gmail-drafts-update-malware-steal-data/


The reason people are asking this question - I was asking it too, that's what brought me to this site today - is that it appears to be happening! All of a sudden, there are filters in someone's Gmail account that he did not put there and that were not there some time ago. How'd they get there? Is there a way that some rogue message was able to do it by embedding some kind of code in a message? Was it something that he inadvertently clicked on, or that could somehow place them there when he believed he was doing something else?

I say this question remains unanswered. Most of the answers are leaning toward "no," but the fact remains that it nevertheless does appear to be happening in reality. It's still an open issue


May 4, 2016. Researchers uncover 24 million compromised Gmail accounts, and many others. http://www.androidauthority.com/reserchers-uncover-24-million-compromised-gmail-accounts-690751/
 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png


#13 JohnnyJammer

JohnnyJammer

  • Members
  • 1,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:08:00 AM

Posted 15 September 2016 - 10:25 PM

Johnny, do you think the same is possible with Gmail for Business?  We don't use Outlook, nor have it configured.  Is there some type of scripting you know of that could add Gmail filters without user interaction?

Well i have never written for gmail but i believe their API is public and people write their own applications to handle gmail.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users