Jump to content

Chinese hackers hitting Microsoft Outlook users with man-in-the-middle attacks

Recommended Posts


Chinese hackers have launched a wave of man-in-the-middle (MITM) attacks capable of stealing emails, contacts and passwords is targeting Microsoft Outlook users in the country.

Greatfire.org, a group that reports on and works to combat Chinese government online censorship and surveillance, reported uncovering the campaign this week.

"On January 17, we received reports that Microsoft's email system, Outlook (which was merged with Hotmail in 2013), was subjected to a MITM attack in China," read the Greatfire threat advisory.

"This form of attack is especially devious because the warning messages users receive from their email clients are much less noticeable than the warning messages delivered to modern browsers."

The attack reportedly uses a bogus certificate to push a malicious alert to Outlook users that siphons information from the victim's account if it is opened.

"Users will only see an abrupt pop-up warning when the client tries to automatically retrieve messages. Users will then be able to tap on a 'continue' button and ignore the warning message," explained the advisory.

"If users do click on the 'continue' button, all of their emails, contacts and passwords will be logged by the attackers."

The number of affected Outlook users remains unknown, although a Microsoft spokesperson confirmed to V3 that the firm is aware of the attacks.

"We are aware of a small number of customers impacted by malicious routing to a server impersonating Outlook.com. If a customer sees a certificate warning, they should contact their service provider for assistance," they said.

Greatfire believes that the Chinese government is responsible for the attacks, citing similarities to previous attacks it believed were state sponsored.

"Because of the similarity between this attack and previous, recent MITM attacks in China on Google, Yahoo and Apple, we once again suspect that Lu Wei and the Cyberspace Administration of China have orchestrated this attack," it said.

"If our accusation is correct, this new attack signals that the Chinese authorities are intent on further cracking down on communication methods that they cannot readily monitor."

The attack on Apple's iCloud occurred at the end of 2014 and was serious enough for CEO Tim Cook to fly to China.

F-Secure security advisor Sean Sullivan told V3 that the Outlook attacks follow a similar pattern to the iCloud campaign and warned business users visiting China to be extra cautious.

"This case appears similar to the move against iCloud back in October. Any business person travelling or working in China should use a VPN (or other measures) to access their email - or else pay very careful attention to warning messages," he said.

"If you're doing business in China, be very mindful of the situation. I'd even recommend using separate hardware for the trip."

Jason Steere, director of technology strategy at FireEye, mirrored Sullivan's sentiment, pointing out that, even if focused on monitoring Chinese citizens alone, the attacks could cause trouble for Western professionals visiting the country.

"I suspect this attack is more about gathering intel on Chinese citizens - using international mail systems to communicate information that they could not do with a Chinese web platform due to censorship," he told V3.

"However, many other people are collateral damage with information exposed that I'm sure they would prefer not to be picked up.

"Anything sent or received, such as usernames, passwords, holidays, journalist sources, new stories, personal information etc, would all have been exposed during the time of the attack.

"All of that information can be collected and used for intel, surveillance etc."

The attack on Outlook comes less than a month after Chinese authorities began blocking local access to Google services including Gmail.

Prior to the Google blockade the Beijing government mounted a mass censorship campaign that cut off access to thousands of websites, applications and cloud services in November 2014.


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...