Last week CRM software and free mail provider Zoho was taken offline by their domain registrar for alleged Phishing violations. This week, new research was released that states Zoho is being heavily used by keylogger distributors as a way to transmit their stolen data.

Keyloggers are malware that silently monitor a victim's computer and collect account credentials, trade secrets, or spy on a user's behavior. When stealing information, it can be done through monitoring and logging what is typed on the keyboard, recording webcams and microphones, taking screenshots of active windows, and performing other malicious activity. This information is then collected and either transmitted directly to a server under the attackers control or compiled into an email and sent to the attackers.

If sending the stolen data by email, attackers typically rely on free throw-away email accounts to transmit their emails.  According to research by mail security provider Cofense, 40% of of the keyloggers that they have analyzed were using Zoho to email stolen information from a victim's machine.

Cofense told BleepingComputer via email that the most common keyloggers that they see abusing Zoho have been Hawkeye and Agent Tesla. Both of these keyloggers will compile the data they steal and then use a mail provider like Zoho to transmit it back to the attackers.

For example, in the image below you can see an email from Hawkeye where it has harvested account credentials from various browsers and sent them back to the attacker.

Agent Tesla Email
Agent Tesla Email

The following image show an example email created by the Hawkeye Keylogger where account credentials were also stolen from browsers. Like the Agent Tesla example, the information in these images have been obfuscated to protect victims or were collected from honeypots.

Hawkeye Keylogger Email
Hawkeye Keylogger Email

Cofense further told BleepingComputer that due to the ease of gaining access to keyloggers, non-technical actors can easily deploy them and get them up and running with a service like Zoho.

"The rise in Keyloggers seems to coincide with a real explosion of the Malware-as-a-Service model," Cofense told BleepingComputer. "By abstracting away all of the difficult parts of malware – namely its authorship and subsequent configuration – it is trivial for utterly non-technical actors to purchase an off-the-shelf keylogger that’s ready to deploy. With Phishing-as-a-Service also in existence, it’s possible for would-be attackers to get end-to-end malware delivery without having to run a single command.

Zoho is attractive to attackers for several reasons. First, they're a SaaS solution. Cloud-based organizations are a major target for threat actors because of the sheer number of, and variance in, their end-user demographics. For example: If a platform has 30M+ users, even if a tiny fraction of a percent have their accounts compromised, it generates a huge command and control footprint for the threat actors. Additionally, by not enforcing strict security features such as multifactor authentication, and with loose controls around account creation, it creates additional risk exposure. A somewhat simple script, for example, could potentially provide an attacker the ability to fully automate account creation in this type of scenario."

Zoho's reaction to the research

BleepingComputer reached out to Zoho regarding this report and to find out how they plan on preventing attackers from using their service to transmit stolen data.

To restrict abuse, Zoho has told that they will be instituting new policies that all free Zoho.com accounts must follow.

Here are some of the actions we are in the process of mandating for our free @zoho.com accounts: 

  1. Mandating mobile verification for all new account registrations
  2. Changing SPF for zoho.com to "hard fail" so that mails not originating from our servers are marked as spam by the recipient servers. More details here: https://help.zoho.com/portal/community/topic/preventing-spam-emails-using-zoho-com-enforcing-spf-dkim-and-dmarc-for-zoho-com-accounts. As mentioned in the post, we also plan to implement DKIM for zoho.com domain and further publish our DMARC policy
  3. Blocking free users with suspicious login patterns, particularly for outgoing SMTP, to ensure they don't use Zoho email ids with malicious intent.

Our newly enhanced algorithms have already blocked thousands of suspicious login patterns in just the last few days alone. Though Zoho Mail supports 1, 2 above and has provision for enabling TFA too, implementing them for @zoho.com users may cause issues for some genuine use cases too and hence we have not mandated it till now. 

Moreover, enabling TFA alone may not help as users can still create app-specific passwords and use it for automated sending. TFA helps only to prevent hacking into other users' accounts.

Zoho CEO Sridhar Vembu further told BleepingComputer via email that they are heavily focusing on preventing this type of abuse.

"Unfortunately phishing has become one of the bad side-effects of Zoho's rapid growth over the last couple of years, especially the growth of our mail service. Since Zoho Mail also offers the most generous free accounts as part of our freemium strategy, this gets exacerbated as more malicious actors take advantage of this massive customer value. But we are clamping down on this heavily and I quickly wanted to briefly share what we have done and will be doing.

The first way is to examine all accounts, especially free ones since this is where most of the abuse appears to be happening. We are now mandating verification using mobile numbers for all accounts, including free ones (which also helps in two-factor authentication for accounts). We are actively looking at suspicious login patterns, and blocking such users, particularly for outgoing SMTP.

The second method is around improving and tightening our policies for all users. We have recently revised and changed our policy around SPF (sender policy framework) and implemented DKIM (domain key identified mail) for our domain. This will result in a solid DMARC policy that we will also publish. 

There are other heuristic methods and algorithms we are exploring and testing before we deploy at scale that we will not discuss in any detail, for all the right reasons. I will appreciate if you can publish this rejoinder to your piece, so that your readers can see both sides of your story."

Related Articles:

New Technique Recycles Exploit Chain to Keep Antivirus Silent

Zoho Suspended by Domain Registrar Over Phishy Emails

Malware Disguised as Job Offers Distributed on Freelance Sites