google threat analysis group warns of new gmail threat from spy group
A recently released report by the google threat analysis group (tag) revealed that an espionage threat group it claims is backed by the Iranian government has a new tool that has been used to hack with successful a small number of gmail user accounts.
The group goes by the name of Charming Kitten, although this cat appears to be far from charming and has very sharp claws.
The report, written by tag’s ajax bash, confirms that the tool, called hyperscrape, is “used to steal user data from gmail, yahoo!, and microsoft outlook accounts.”
bash confirms that the state-sponsored group behind the hyperscrape hack has already successfully compromised a small number of gmail accounts. “We’ve seen it deployed to less than two dozen accounts located in Iran,” bash said, adding that Google notified affected users and “took steps to re-protect these accounts.”
what is hyperscraping?
The hyperscrape tool was first detected by google tag researchers in December 2021, although further investigation revealed that the oldest attack appears to date from 2020.
uses phishing techniques to appear as an old and outdated web browser. this allows the tool to ‘see’ gmail inboxes in a basic html view. hyperscrape can go through the contents of the compromised gmail inbox and other mailboxes to download email messages one at a time. Once you have completed this process, the emails are marked as unread and any security messages or warnings from Google are removed.
bash also said that some versions of the hacking tool could export all user data as a downloadable file using the google takeout function. it is unclear if or why this feature was removed.
how dangerous is hyper-scraping?
Obviously, for those targeted by the lovely kitty, hyper-scratching is a very dangerous threat. however, those targets will be selected very carefully, and as bash has said, only a handful of users are known to have been compromised. all those users were based in iran.
Also, for hyperscrape to run, the attackers must have obtained the victim’s user credentials. this, again, reduces the chances of everyday users being affected. if an attacker has your user credentials, then it’s game over anyway.
In the case of hyperscrape, attackers don’t want victims to know that their credentials have been compromised and their gmail accounts have been accessed. lovely kitty is an advanced persistent threat group, and by covering its tracks by resetting mailboxes to their original state and removing google security warnings, it hopes to be able to repeat email hacking at its leisure.
bash said that news of this discovery was made public to “raise awareness of bad actors like the lovely kitty within the security community,” as well as high-risk individuals and organizations that could be targeted. the threat group.
hyperscrape mitigation and other gmail attack threats
If you fall into such a category, Google encourages you to join the Advanced Protection Program (app) and use Enhanced Safe Browsing at the Google account level.
if you don’t, then you should continue to think about security despite having a low risk of becoming a victim of hyper-scraping. That’s the end of the threat spectrum, but using weak passwords and not implementing two-factor verification on your Google account leaves you in the crosshairs of everyday cybercriminals. Gaining control of your gmail account is like gaining the keys to the kingdom of hacking. password reset links arriving in your email, bank account details, and personal data add up to a huge security issue that can be avoided by ensuring a better basic security posture.
threat intelligence expert opinion
ian thornton-trump, chief of threat intelligence specialists cyjax, says: “we live in a world where we are secure one moment and completely insecure the next. i contend that threat models should drive response and investment. sometimes in- the premise brings advantages in terms of security with agility as the victim. I think what we’re learning is that there is no “one size fits all” when it comes to cyber security. support and capability vendor response becomes a value proposition. this is the world we live in. what’s interesting to me is that it’s not about the “vulnerability or the exploit” anymore, it’s about how we implement the technology with a philosophy of “lower damage level”.