October 4, 2018

Cofense say Zoho outage caused by keyloggers transmitting stolen data

The research conducted by Cofense reveals that 40% of the keyloggers they analyzed were using Zoho from a victim’s machine.


Last week, after Zoho was taken offline by TierraNet for receiving phishing complaints from customers, email security provider Cofense dug into the details to find the root cause of this mishap. As per the research, Cofense found that of all the keyloggers they analyzed, 40% of them were using Zoho to steal data from one of the victim’s machines.

Cofense explained that keyloggers are malware that quietly monitors a victim’s computer only to collect account credentials, exchange secrets and spy on a user’s behaviour. They revealed that this collection of information, rather stealing, can be done by monitoring and logging whatever is typed on the keyboard, recording webcams and taking screenshots of active windows.

A spokesperson for Cofense commented:

The rise in Keyloggers seems to coincide with a real explosion of the Malware-as-a-Service model. By abstracting away all of the difficult parts of malware – namely its authorship and subsequent configuration – it is trivial for utterly non-technical actors to purchase an off-the-shelf keylogger that’s ready to deploy.

With Phishing-as-a-Service also in existence, it’s possible for would-be attackers to get end-to-end malware delivery without having to run a single command.

According to Cofense, since Zoho is a cloud-based service with a sheer number of, and variance in, their end-user demographics, it attracts many cyber attackers. They also claim that since platforms like Zoho do not exercise strict security features such as multifactor authentication, it creates additional exposure to cyber risks.

Zoho say that they have taken some precautionary measures to avoid this mishap again. Some of the changes made by them in order to restrict abuse are-

1. Mandating mobile verification for all new registrations,
2. Changing SPF (Sender Policy Framework) for Zoho.com to “hard fail” so that mails not originating from Zoho’s servers are marked as spam by recipient servers, and
3. Blocking free users with suspicious login patterns, particularly for outgoing SMTP (Simple Mail Transfer Protocol), to ensure they don’t use Zoho email ids with malicious intent

Sridhar Vembu, CEO at Zoho, commented:

Unfortunately, phishing has become one of the bad side-effects of Zoho’s rapid growth over the last couple of years, especially the growth of our mail service.

Since Zoho Mail also offers the most generous free accounts as part of our freemium strategy, this gets exacerbated as more malicious actors take advantage of this massive customer value.

But we are clamping down on this heavily and I quickly wanted to briefly share what we have done and will be doing.

As industry viewers, we hope that Zoho’s incidence sets an example for all organizations in the IT industry.