Skip to main content

Hackers using Gmail drafts to steal data and update malware

Gmail drafts folder holding any incriminating goodies? Perhaps a drafted up email to an ex that you never sent?

Hackers have cottoned on to the privacy benefits of the Gmail drafts folder, a study by security startup Shape Security suggests (as reported by Wired). A certain type of malware was identified on a client's network. Hidden away in innocent-looking Gmail drafts that never even leave the inbox, the malware's "command and control" communication channel is tough to detect.

Read more: New malware campaign dupes victims with Dropbox disguise

"What we're seeing here is command and control that's using a fully allowed service, and that makes it superstealthy and very hard to identify," said Wade Williamson, a security researcher at Shape. "It's stealthily passing messages back and forth without even having to press send. You never see the bullet fired."

To effect the attack, the hacker sets up an anonymous Gmail account, then, within the target's network, infects another computer with malware. Then, the hacker logs into the anonymous Gmail account on the target computer, via Internet Explorer (made invisible to the user through IE's ability to seamlessly query web pages).

Drafts folder open, the malware then uses a Python script to gain code and commands from the draft, while the malware responds from the draft folder with the data recovered from the machine. It's all encoded, making detection difficult.

Shape is unclear as to just how many computers could have fallen prey to the hack, but due to its nature of directly stealing data, it's probably a closely targeted attack, they believe. Without blocking Gmail entirely, it will be difficult for users to protect against the attack, meaning Google should probably make Gmail more robust against such threats.