Google has applied its Safe Browsing protection feature to more than 30 domains linked to several hack-for-hire operations. The feature blocks dangerous websites and gives users a warning notification when they attempt to navigate to the site.
These hack-for-hire firms have been targeting a range of accounts, including Gmail and AWS accounts, in order to carry out corporate espionage attacks against firms, as well as campaigns that target human rights and political activists, journalists and other high-risk users worldwide. These hack-for-hire companies have been steadily increasing over the past few years, according to an October report by the United Nations Office of High Commissioner for Human Rights. Rather than selling services that end users must then operate, as commercial surveillance vendors do, hack-for-hire operators conduct the attacks themselves on behalf of organizations or individuals who might lack the capabilities to do so on their own, typically leveraging known vulnerabilities in order to compromise targets’ accounts with the end goal of exfiltrating sensitive data.
“The breadth of targets in hack-for-hire campaigns stands in contrast to many government-backed operations, which often have a clearer delineation of mission and targets,” said Shane Huntley, director of the threat analysis group with Google, in a Thursday analysis. “A recent campaign from an Indian hack-for-hire operator was observed targeting an IT company in Cyprus, an education institution in Nigeria, a fintech company in the Balkans and a shopping company in Israel.”
Researchers highlighted a previously known Russian hack-for-hire group called Void Balaur that has targeted journalists, politicians and various NGOs and non-profit organizations in and around Europe, including a prominent Russian anti-corruption journalist hit by a 2017 credential phishing campaign. Over the past five years, researchers said they observed the group targeting accounts at major webmail providers including Gmail, Hotmail, and Yahoo!, as well as regional webmail providers like abv.bg, mail.ru, inbox.lv, and UKR.net.
“What stuck out during this investigation was the breadth of targeting, which also included individuals that had no affiliation with the selected organizations, and appeared to be regular, everyday citizens in Russia and surrounding countries,” said Huntley.
Void Balaur sent credential phishing emails pretending to be notifications from Gmail and other webmail providers, or spoofing Russian government organizations. Once targets clicked a link and were led to an attacker-controlled phishing page, attackers maintained persistence by granting an OAauth token to a legitimate email application like Thunderbird or generating an App Password in order to access the account via IMAP – two methods that can be revoked if users change their password, according to Google.