July 15, 2012Singapore0
Case: Gmail Phishing
Location: Singapore office of an software development company
Brief: A software development company engaged RP-DS to investigate one of their computers which the IT department suspected to be infected by malware. The investigation scope was to check for• the presence of malware
• the existence of any key logger/remote control client software
• links or evidence of external cloud storage use,
• compromise of MS Outlook or
• any other evidence of possible external attack
Procedure: To preserve the evidence, the laptop was brought back to the lab for analysis and forensically imaged. To begin, we checked if there was live malware activity or unauthorized software on the computer. After forensically imaging the disk and memory, we checked for any trace of malware activities in exe's, DLL's, running processes and inspected the emails and other artefacts. Virtualisation and network traffic monitoring were also used. Results showed, no "live" malware was running on the system. We then extracted and inspect the emails and internet artefacts such as cloud storage activities as these had been highlighted to us by the client as showing evidence of “hacking” activity. Again no “live” Malware existed on the system but Malware was detected in one of the email’s attachments. With further examination, we found out that the email was a phishing email (containing zeus malware), not created by the user of the computer. Further examination showed that the email malware was set up to download ransomware onto the victim’s computer.
Outcome: With further examination of the malicious email, we found out that the malicious email had 2 different phone numbers in the personal signature from the usual email sent out by the user of the computer. Also, prior to the malicious email being sent, our client also received a "signed-in notification" from Google which alerted our client that the account was signed-in from another country. These characteristics sounded suspiciously like an article we had recently read in the news reporting a spate of complex Gmail phishing activities, similar to what happened to our client. The user of the computer was not in Europe when this sign in occurred.
Fortuitously, we had recently read a news article online reporting that there had recently been a spate of complex Gmail phishing activities, which had evaded Gmail and other security systems. These activities were extremely similar to what happened to our client. The client had received a Gmail phishing email, clicked on it and then entered his username and password as requested. This provided the hackers with access to his Gmail account. The perpetrators then read his emails and targeted several of his clients with specific emails claiming to be “invoices” in attachments. These attachments however contained a type of malware (zeus) which downloaded further ransomware which in turn encrypted the recipient’s computer.
Given the malware we found in just the client’s “sent” emails, plus other artifacts that we found it was concluded that there was no live malware on the computer, but the “hack” was down to a Gmail Phishing incident instead. We demonstrated that our client had been a victim of this Gmail phishing attack and their account used to stage an attack and send "ransomware" to others.