The tool, known as HYPERSCRAPE, was discovered in December 2021, but there is evidence of a previous version from 2020. HYPERSCRAPE is believed to still be under active development. However, it has already been used to target a few accounts in Iran. “We have taken actions to re-secure these accounts and have notified the victims through our Government Backed Attacker Warnings,” Google’s Threat Analysis Group (TAG) said in a blog post. Charming Kitten (or APT35) is known to target organizations and officials in North America and the Middle East. A recent report revealed that the group impersonates journalists. It is unclear if HYPERSCRAPE has been used to hack any high-profile targets — the researchers did not provide any details about the “fewer than two dozen accounts” the tool has been used to target.
Target’s Login Credentials Needed for Exploit
For hackers to access an email account using HYPERSCRAPE, they need the target’s login credentials. The attacker runs HYPERSCAPE on their device. The program’s user agent looks like an outdated browser and allows the hacker to view Gmail in Standard or Basic HTML view, Ajax Bash from Google’s TAG said. First, the tool automatically changes the account’s language to English — if that’s not the language. Then, it scans through the victim’s inbox and downloads emails individually as .eml files. Cleverly, after accessing previously unopened emails, the tool marks them as unread. After downloading the contents of the account, the tool also changes the account language to the original setting and deletes Google’s security emails. This makes it virtually impossible for victims to know their account is compromised. Earlier versions of HYPERSCRAPE reportedly allowed attackers to use Google Takeout, a feature that lets users export their data. “The functionality was not automated and it’s unclear why it was removed in later versions,” Bash stated. TAG researchers tested HYPERSCAPE in a controlled environment to learn how it functions. They used a test Gmail account for their experiment and noted that the process might differ for Yahoo! and Microsoft Outlook accounts.
How to Protect Your Email Accounts
The researchers encouraged high-profile targets to take advantage of Google’s security tools to protect their Gmail accounts. The discovery of HYPERSCRAPE and similar malicious tools inform the company’s efforts to improve the security of its products, they explained. “In the meantime, we encourage high risk users to enroll in our Advanced Protection Program (APP) and utilize Google Account Level Enhanced Safe Browsing to ensure they have the greatest level of protection in the face of ongoing threats,” the researchers said. Hacking groups like Charming Kitten usually target politicians, journalists, activists, and high-profile figures. Still, it’s important to bolster the security of your online accounts, even if you’re unlikely to be in their cross-hairs. Creating a highly secure password and using two-factor authentication are good ways to protect your online accounts. Our guide to secure passwords contains some insightful information about passwords. If you have difficulties creating and remembering complex passwords, consider using a password manager. Check out our article on the best password managers of 2022 to get started.
