Security researchers have discovered a keylogger phishing campaign that has affected an Indian free online office suite software Zoho.
In last month, 40 percent of the phishing attacks used zoho.com or zoho.eu email address to exfiltrate data from the victims device. Meanwhile, to stop the phishing attack Domain registrar TierraNet has temporarily taken down the domain name as they failed to respond sufficiently to the reported abuse.
However, Zoho’s CEO Sridhar Vembu said, “There were a total of 3 complaints in 2 months and we took action on 2 of them immediately and one is pending investigation. We serve 40 million users. 3 complaints in 2 months.”
According to the researchers at Cofense, Zoho is widely used by phishers and fraudsters to spread their campaign and have a massive impact. They found out that abusers are using Zoho in two ways.
One is by creating a bogus account which is used to receive emails containing exfiltrate data from the keylogger malware. The other way is to use stolen accounts to facilitate this same data exfiltration.
“The reason for threat actors overwhelmingly abusing Zoho is unclear, but minimal security process enforcements – optional [two-factor authentication](not enforced), activity monitoring, etc. – combine with user susceptibility to create fertile ground,” the researchers write.