Endpoint

5/4/2017
11:30 AM
Greg Martin
Greg Martin
Commentary
Connect Directly
Twitter
LinkedIn
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Why OAuth Phishing Poses A New Threat to Users

Credential phishing lets attackers gain back-end access to email accounts, and yesterday's Google Docs scam raises the risk to a new level.

It's no secret that phishing attacks pose a constant threat to businesses. But a new tactic, recently seen in the cyber espionage campaign targeting Emmanuel Macron's presidential campaign in France and the Google Docs phishing scam circulating on the web on May 3, raise this threat to a new level.

A recent report by Trend Micro found the group behind many of the attacks (known as Pawn Storm, Fancy Bear, or APT28) was using an innovative type of credential phishing technique that takes advantage of the Open Authentication (OAuth) standard to gain back-end access to user email accounts. In its various campaigns, the group has used a number of fake add-on offers (such as for Google Defender, Google Scanner, and McAfee Email Protection) for popular email services including Gmail and Yahoo, in order to trick users into granting persistent access to their accounts. In the May 3 attack, hackers created a fake Google Doc app that exploits this same vulnerability.

This is a significant improvement in the traditional phishing lure. Because "OAuth phishing" avoids the typical red flags users have grown accustomed to with email phishing (that is, unfamiliar or spoofed URL link, sign-in request, or attached file), it is likely to have a higher rate of success and may even confound more experienced and competent users, such as upper management and those who have undergone security awareness training.

Misplaced Trust
OAuth phishing exploits the trust relationship users have with well-known online service providers, as well as the trust relationship those providers have with their own third-party applications. By sending the target an OAuth permission request for an approved application, the attacker is able to bypass all of the traditional warning signs users have been trained to look for when opening emails. Therefore, the email redirects the user to a legitimate Web domain (example: accounts.google.com) that is hosted over an encrypted HTTPS connection. Additionally, there is no need for the user to enter a password because the app is using OAuth tokens instead.

Everything about this will look aboveboard to a person who doesn't have a background in security. Making matters worse, the attacker is able to maintain access to the user's email account even after multiple password resets, because the only way to expel him is to revoke access within the user's account settings.

There have been limited instances of OAuth phishing in the wild, outside of the Pawn Storm campaigns. However, this week’s Google Doc scam is a sign of things to come. Now that this advanced technique is becoming more widely understood, it is reasonable to assume that this tactic will be adopted by many other threat actors, because of the many advantages it offers the attacker.

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.

For instance, one can quickly see how this technique would benefit those criminal groups behind the many "business email compromise" scams now underway, to say nothing of corporate IP theft, government monitoring of human rights groups, social media scams, identity theft, celebrity targeting, and so on. It's also possible attackers could deliver these rogue applications via "watering hole" sites (blog posts, reviews, news media) instead of email, particularly if the app provides some legitimate function.

Although online service providers can help to curtail this threat by adding tougher standards to their approval processes for third-party applications, businesses and security professionals can't depend on an improved vetting process to entirely eliminate this new risk. Given the complexity of vetting third-party applications (After all, malicious mobile apps continue to find their way into official app stores, despite roughly nine years of screening improvements.), and the sheer number of online platforms that accept OAuth tokenization, ranging from email to social media, e-commerce, entertainment, file hosting, project management tools, etc., it is unrealistic to assume this problem can be contained at the vendor level.

For this reason, businesses need to become more proactive at training employees while also limiting their exposure to phishing-based attacks.

Here are a few steps businesses should take to contain the threat:

  • Incorporate OAuth phishing training into any/all security awareness programs.
  • Update corporate policies to restrict what types of third-party applications may be added to any online service or tool that is linked to the company's information, accounts or network (example: Google, Microsoft, Dropbox, Basecamp, GitHub). However, rather than providing high-level guidance on this, be extremely specific—include a list of pre-approved applications and deny all others not on the list.
  • Implement email whitelisting for executives and key employees.
  • Include OAuth request audits into any current employee email monitoring program.
  • Conduct regular audits of employees' work-related online accounts to check for rogue permission requests and purge any suspicious applications.
  • Require employees to use file encryption tools to protect sensitive corporate information that is sent or stored in email.
  • Establish a strong access control program, so that no single employee has too much access to corporate systems, accounts, data, or key personnel.
  • Segment the network sufficiently to limit the lateral spread of attacks.

OAuth phishing is likely to pose a long-term challenge to businesses, and as such it will require a more robust security program to contain the threats posed by these more-sophisticated phishing emails.

Related Content:

Greg Martin is CEO of JASK (jask.ai), a Silicon Valley-based cybersecurity startup that has developed a unique enterprise security platform to dramatically improve situational awareness of cyberthreats. Martin is a former cybersecurity technical advisor to the FBI and Secret ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JulietteRizkallah
50%
50%
JulietteRizkallah,
User Rank: Ninja
5/8/2017 | 3:59:43 PM
Good case for Identity governance
This seems like a good case for Idenity Governance to monitor and control access, certify access through regurlar campaigns, idenity rogue and orphan accounts and revoke compromised accounts when needed.
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
6 Reasons Why Employees Violate Security Policies
Ericka Chickowski, Contributing Writer, Dark Reading,  10/16/2018
Getting Up to Speed with "Always-On SSL"
Tim Callan, Senior Fellow, Comodo CA,  10/18/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Latest Comment: Too funny!
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.