Imagine if cybercriminals didn’t have to send a malicious email for their victims to get the message anyway.
That’s a tool one hacker is advertising on a dark web forum, according to research Gemini Advisory released Wednesday. And because the email can be implanted rather than sent, it has the potential to bypass security that inspects messages as they’re en route to their destination server, researchers said.
“The software poses a significant threat as it raises the success rate of malware attacks, allows for more sophisticated phishing and business email compromise (BEC) campaigns, and opens the door for technically simple ransomware-like attacks,” according to a blog post from the Miami-based threat intelligence company.
First, attackers must obtain valid email addresses and associated passwords, often available on the dark web at a low cost. Then the attacker has to upload the compromised credentials into Email Appender, which checks the credentials and connects to the accounts through the Internet Message Access Protocol, a standard protocol email clients use to retrieve messages. From there, attackers can use an IMAP feature that allows an authenticated user to append a message to their inboxes, and can amend the “Sender,” “From” and “Reply-To” fields.
“This was something that seems to be fairly unique,” said Stanislav Alforov, Gemini Advisory’s director of research.
Alforov said the hacker advertising Email Appender has offered other services in the past, and appears to have a “decent reputation” in dark web forums. A video he uploaded on YouTube has received positive feedback from people who say they’ve been able to test and use the Email Appender tool, Alforov said.
The best way to render Email Appender impotent, Alforov said, is to enable multi-factor authentication. Once an account is protected with more than just a password, the malicious software can’t do its job.