Anyone using Gmail as their primary email service may risk having messages stolen by North Korean hackers. According to a joint cybersecurity advisory from Germany and South Korea, a hacking group known as Kimsuky has been using malicious Chrome extensions to spy on the Gmail account of diplomats, journalists, government agencies, university professors, and politicians.
Kimsuky is a North Korean threat group that has been active since 2012, conducting cyber-espionage campaigns against targets in South Korea, the USA, and Europe. The group is interested in topics involving North Korea, nuclear issues, weapons systems, and other matters of strategic interest to the regime.
Read: North Korean hackers are using a Dtrack malware update
The group’s latest attack method involves sending spear-phishing emails to lure victims into installing a malicious Chrome extension, which can also affect other Chromium-based browsers like Microsoft Edge or Brave. The extension is named ‘AF’ and can only be seen in the extensions list if the user enters “chrome://extensions,” “edge://extensions,” or “brave://extensions” in the browser’s address bar.
Once the victim visits Gmail through the infected browser, the extension automatically activates to intercept and steal the victim’s email content. The extension abuses the Devtools API (developer tools API) on the browser to send the stolen data to the attacker’s relay server, stealthily stealing their emails without breaking or bypassing account security protections.
This is not the first time Kimsuky has used malicious Chrome extensions to steal emails from breached systems. In July 2022, cybersecurity firm Volexity reported about a similar campaign using an extension named “SHARPEXT.” In December 2018, Netscout reported that Kimsuky was following the same tactic against academia targets.
In addition to the Chrome extension, Kimsuky also uses Android malware named “FastViewer,” “Fastfire,” or “Fastspy DEX” to spy on mobile devices. The malware is disguised as a security plugin or document viewer and is installed on the victim’s device through Google Play’s web-to-phone synchronization feature, which allows users to install apps on their linked devices from their computer (Play Store website).
The malware can track the victim’s location, keystrokes, phone calls, contacts, SMS messages, and other sensitive information. The malware has been updated several times since it was first discovered in October 2022 by cybersecurity firm AhnLab.
How to protect any Gmail account from these attacks? Here are some tips:
– Be wary of unsolicited emails that ask to install extensions or apps on the browser or device. Verify the sender’s identity and check the legitimacy of the links before clicking on them.
– Review the browser’s extensions list regularly and remove any suspicious or unwanted ones. Also, disable developer mode extensions by unchecking the box next to “Developer mode” in the browser’s extensions settings.
– Use reputable antivirus or anti-malware software on computers and devices and keep it updated. Scan systems regularly for any signs of infection.
– Enable two-factor authentication (2FA) on any Gmail and other online accounts. This adds an extra layer of security by requiring a code or a device confirmation in addition to the password when signing in.
– Monitor the Gmail account activity and report any suspicious or unauthorized access. Check the account activity by clicking on “Details” at the bottom right corner of the inbox. Also, review the security settings and alerts by visiting https://myaccount.google.com/security.
By following these steps, we can reduce the chances of falling victim to Kimsuky’s attacks and protect Gmail accounts from North Korean or other hackers.
Keep in touch with our blog to read the latest news and innovations in the cybersecurity world.
Photo by Rubaitul Azad on Unsplash.
Facebook: Eagle Tech Corp
LinkedIn: Eagle Tech
YouTube: Eagle Tech Corp