“Suspicious sign in prevented” Spam That Links to Malware
New spoofed email has been spotted over this week by TrendMicro that claims to be sourced from Gmail and alert users about a suspicious activity been detected on their email accounts. The email claims a login to gmail account from an unrecognized device with the time of login and source to be from Chicago and invite user to follow a malicious link.
The spam include links pointing to Google Drive a cloud service that is hosting html file used to gather information on victim machine including type of browser and operating system. this to classify victims machine so cybercriminal will leverage the malicious payload associated with the system in use.
Malicious payload will install a backdoor which steals email credentials and user names and passwords. it will also allow attacker to have a key-logger installed on victim machine to have all activities on infected system. According to the blog post attackers are changing hosted files on Google drive within several days. this makes it updated according to their need and to avoid detection by security programs.
Cloud hostage have been a good way for distributing malwares because they are not going to be black listed by spam filters which makes the link arrive to targeted users and it can be changed at any time without tracking the source of attackers. If you receive a similar message make sure to ignore and delete the spam and it is possible to report the case to Google so they remove the malicious files.