Now hackers have learned the same trick. Only instead of a mistress, they're sharing their love letters with data-stealing malware buried deep on a victim's computer.
Researchers at the security startup Shape Security say they've found a strain of malware on a client's network that uses that new, furtive form of "command and control"—the communications channel that connects hackers to their malicious software—allowing them to send the programs updates and instructions and retrieve stolen data. Because the commands are hidden in unassuming Gmail drafts that are never even sent, the hidden communications channel is particularly difficult to detect.
"What we're seeing here is command and control that's using a fully allowed service, and that makes it superstealthy and very hard to identify," says Wade Williamson, a security researcher at Shape. "It's stealthily passing messages back and forth without even having to press send. You never see the bullet fired."
Here's how the attack worked in the case Shape observed: The hacker first set up an anonymous Gmail account, then infected a computer on the target's network with malware. (Shape declined to name the victim of the attack.)