Malware hidden in images hits Gmail and Outlook users.
Update, January 20, 2025: This story, originally published on January 18, now includes mitigation tips to help protect against the sneaky email hacking tactics used by the VIP Keylogger and 0bj3ctivityStealer threat campaigns, as well as application details that can help prevent you from falling victim to phishing and malware attacks.
It’s no secret that hackers want your account credentials, whether it’s from high-velocity attacks against Microsoft accounts or two-factor authentication bypass attacks against Google users. The primary attack methodology revolves around your email, don’t click on non-phish attacks or threats alike. Now, security researchers have issued a warning about VIP Keylogger and 0bj3ctivityStealer malware, which are not so easy to spot as they are cleverly hidden inside your email messages. With Gmail and Outlook being the largest email platforms, users are warned to be especially vigilant for these attacks. Here’s what you need to know.
How hacker threats hide in your email
Although phishing threats are nothing new, and although they are constantly evolving, most still focus on the same old techniques of clicking on links and executing attachments. However, the latest HP Wolf Security Threat Insight report has issued a warning about a critical malware threat that is sent via email while remaining hidden within images. Not just one malware threat, actually, but two.
Security researchers have reported how they caught malware campaigns spreading the VIP Keylogger and 0bj3ctivityStealer hacking threats both using the same initial exploit techniques: hiding malicious code in images. VIP Keylogger can record keystrokes and extract credentials from a number of sources, including applications and memory data. 0bj3ctivityStealer is also, as the name suggests, an information stealer and targets both account credentials and credit card information.
“By hiding malicious code in images and hosting them on legitimate websites,” the researchers said, “attackers were more likely to bypass network security such as online proxies that rely on reputation checks.”
“The tactics observed in the report indicate that threat actors are reusing and combining attack components to improve the efficiency of their campaigns,” said James Coker, writing in Infosecurity Magazine.
In what HP Wolf researchers called “massive malware campaigns” spreading the VIP Keylogger threat, emails posing as invoices and purchase orders were sent to victims, and the investigation revealed “numerous malicious images” with the most access that was viewed 29,000 times. .0bj3ctivityStealer, meanwhile, was delivered using archive files related to quote requests. These, if activated, will download an image from a remote server that contains the malicious code itself.
Mitigating phishing risks lurking in your email
Singapore’s Cyber Security Agency has published a January 20 update to its list of recommended security apps to boost protection against phishing and malware campaigns. Since the list was first compiled in 2023, CSA has conducted a series of tests of such apps on the Android and iOS platforms, rating them based on performance in four categories: malware detection, phishing detection, network and device integrity checks. “Of these, network detection and device integrity checks are new categories added in this review,” said a CSA spokesperson, “six security applications made the list.”
Looking at the assessment categories in more detail, the CSA said malware detection involves installing the security application on the device and testing its ability to detect different malware samples – including original, repackaged and obfuscated samples. When it came to phishing, the tests involved accessing selected phishing links across different environments, such as through in-app browsers, dedicated browsers such as Chrome for Android users and Safari for iOS users, or through a provided URL checker from the application. Looking at the assessment categories in more detail, the CSA said malware detection involves installing the security application on the device and testing its ability to detect different malware samples – including original, repackaged and obfuscated samples. When it came to phishing, the tests involved accessing selected phishing links across different environments, such as through in-app browsers, dedicated browsers such as Chrome for Android users and Safari for iOS users, or through a provided URL checker from the application. Network detection used attack simulation to test whether the app can detect and alert the user, while device integrity tests focused on unauthorized rooting and jailbreaking modifications.
While the CSA acknowledges that no single app can guarantee “absolute” cyber security and “users should be vigilant, practice good cyber hygiene and stay up-to-date on anti-fraud advice”, it recommends six security apps to “enhanced mobile device protection against widespread malware. phishing attacks and scams.”
CSA recommended anti-phishing apps.
Google has built new defenses to protect billions of Gmail users from all kinds of cyberattacks, including the kind of phishing threats and malware exemplified by the HP Wolf researchers. In 2024, Gmail’s senior director of product management, Andy Wen, said, “We developed several innovative AI models that significantly strengthened Gmail’s cyber defenses, including a new large language model that we trained for phishing , malware and spam”. This helped block 20% more spam than previous protections by more accurately identifying malicious patterns. Another AI model, Wen said, “acts as a watchdog for our existing AI defenses by instantly evaluating hundreds of threat signals when a dangerous message is flagged and deploying appropriate defenses.”
Microsoft, meanwhile, said that “all Outlook.com users benefit from spam and malware filtering. For Microsoft 365 Family and Microsoft 365 Personal subscribers, Outlook.com performs additional checking of attachments and links in the messages you receive.” These premium security features are automatically enabled for all Microsoft 365 Family and Microsoft 365 Personal subscribers who have email accounts that end with @outlook.com, @hotmail.com, @live.com and @msn.com.
