Yahoo Mail and Google App Engine banned over malware concerns

The IT department of the U.S. House of Representatives has blocked access to Yahoo Mail and the Google App Engine platform due to malware threats.

On April 30, the House’s Technology Service Desk informed users about an increase in ransomware related emails on third-party email services like Yahoo Mail and Gmail.

“The House Information Security Office is taking a number of steps to address this specific attack,” the Technology Service Desk said in an email obtained and published by Gizmodo. “As part of that effort, we will be blocking access to Yahoo Mail on the House Network until further notice.”

The ban on Yahoo Mail access suggests that some House of Representatives workers accessed Yahoo mailboxes from their work computers. This raises the questions: are House workers using Yahoo Mail for official business, and, if they’re not, are they allowed to check their private email accounts on work devices?

If they use the same devices for both personal and work activities, one would hope that there are access controls in place to separate the work and personal data. Otherwise, if they are allowed to take those devices outside of the House’s network, they could just as easily become infected there, where the ban is not in effect.

“The recent attacks have focused on using .js files attached as zip files to e-mail that appear to come from known senders,” the House’s Technology Service Desk said. “The primary focus appears to be through Yahoo Mail at this time.”

The increase in ZIP and RAR email attachments that contain malicious JavaScript (JS) files has been observed by multiple security companies in recent months, including by Microsoft, which offers several recommendations, like using the Windows AppLocker group policy to restrict the execution of .JS files.

The House Information Security Office also banned access to appspot.com, the domain name used by applications hosted on the Google App Engine platform, Reuters reported.

This ban appears to be unrelated to the ransomware attacks and is in response to indicators that attackers have been using Google’s platform to host a remote access trojan named BLT since June 2015, unnamed congressional sources told Reuters.

Banning an entire service because some cybercriminals abuse it seems like overkill, especially when this can cause downtime to legitimate applications. Dropbox, Blogger, Google Docs and many other free services are routinely abused by cybercriminals to host malware. Banning them all, instead of specific malicious URLs, would likely be impractical.

Former House staffer Ted Henderson called the ban a “bumbling response” on Twitter. Henderson is the creator of Capitol Bells, an app that helps users track floor votes taken in real time, and Cloakroom, a chat app for Capitol Hill insiders. Both apps were affected.

“This Brazilian-style cyber security response is muzzling our community,” Henderson said, referring to the repeated country-wide blocking of encrypted chat app WhatsApp in Brazil.