QakBot Malware: How Your Own Email Can Be Weaponised Against Your Contacts
It is entirely possible that you have received a strange email that appeared to come from a reputable source, such as a friend or a well-known company. But have you ever considered the possibility that a suspicious email could appear to come from your own email address? In a sophisticated and increasingly common fraud, cybercriminals are using a piece of malware called QakBot to hijack your email account and send phishing messages to your contacts, all without your knowledge.
What Is QakBot?
QakBot, also known as Qbot or Pinkslipbot, is a banking trojan that has been active since 2008 but has evolved significantly over the years. Originally designed to steal financial credentials, modern versions of QakBot have expanded their capabilities to include keylogging, email harvesting, and the ability to spread laterally across networks. It is one of the most persistent and adaptable malware families in circulation.
How the Attack Begins
The infection chain typically starts with a phishing email that lands in your inbox. The email may appear to come from a colleague, a supplier, or a service you use regularly. It contains a link or an attachment -- often disguised as a document, invoice, or spreadsheet -- that looks innocent enough. If you click the link or open the attachment, QakBot is silently downloaded and installed on your computer.
Once installed, QakBot operates in the background, performing several malicious actions:
- Keystroke logging -- the malware records everything you type, including passwords, credit card numbers, and sensitive messages.
- Email account access -- QakBot can infiltrate your email client, reading your inbox, sent items, and contact list.
- Credential theft -- beyond email, the malware targets banking credentials and other financial login details stored on your system.
How QakBot Weaponises Your Email
This is where the attack becomes particularly insidious. Once QakBot has access to your email account, it uses the "Reply All" function to insert itself into your existing email conversations. The malware reads your recent email threads and sends phishing replies to everyone involved. Because these messages appear within an ongoing conversation and come from your genuine email address, they look entirely legitimate.
Recipients see a reply from someone they know and trust, in a thread they are already part of. The message typically contains a brief line of text and a malicious link or attachment. The familiarity of the context dramatically increases the likelihood that the recipient will click without questioning it.
If they do click, QakBot installs itself on their computer as well, and the cycle repeats. A single infection can rapidly spread through an entire organisation's email network, compromising dozens or even hundreds of accounts.
Why This Is So Difficult to Detect
Traditional phishing emails often contain obvious red flags: misspelled words, generic greetings, unfamiliar sender addresses. QakBot eliminates most of these warning signs by:
- Sending from a genuine, trusted email address.
- Replying within a real, ongoing conversation.
- Using context that is relevant to the recipient.
- Operating silently, so the compromised user may not even know their account is being used.
This makes QakBot-delivered phishing emails among the most convincing and dangerous forms of social engineering in use today.
How to Protect Yourself
Follow the guidelines below to reduce your risk of falling victim to QakBot and similar malware:
- Be cautious of urgency in any message. Even in emails that appear to come from people you know, watch for language that creates pressure to act quickly. Phrases like "please review this urgently" or "action required immediately" are common tactics used by both human scammers and malware-generated messages.
- Do not click links or download attachments from unexpected emails. This applies even when the email appears to come from a trusted contact. If you were not expecting a document or link, verify it before clicking.
- Be wary of emails containing only a brief message and a link. This pattern -- a short sentence followed by a URL -- is characteristic of QakBot-generated messages. If you are unsure whether the link is safe, call the sender to confirm that they actually sent the email.
- Keep your operating system and software updated. QakBot often exploits known vulnerabilities in outdated software. Regular updates and patches close these entry points.
- Use reputable antivirus and anti-malware software. Ensure your security software is active, up to date, and configured to scan email attachments automatically.
- Enable two-factor authentication on all email accounts. Even if QakBot captures your password, two-factor authentication adds a barrier that can prevent the attacker from accessing your account remotely.
What to Do If You Suspect an Infection
If you notice unusual sent messages in your email account, if contacts report receiving strange emails from you, or if your system is running unusually slowly, take immediate action. Disconnect from the internet to prevent further spread, run a full system scan with updated security software, and change all of your passwords from a clean device. Notify your contacts that your account may have been compromised so they can be on alert for suspicious messages.
For businesses, a QakBot infection can escalate quickly. Having automated backups in place ensures you can restore clean versions of critical data, whilst server monitoring can help detect unusual email activity early. If your organisation needs help assessing its exposure to email-borne threats, Faciotech's IT consulting services can provide a thorough security review. For more on how email infrastructure can be exploited, see our article on Gmail SMTP relay vulnerabilities.
Stop, look, and think. Don't be fooled by the scammers.
