Vanity links created by companies to add their brand to well-known cloud services could become a useful vector for phishing attacks and a way to better fool victims, researchers warn.
Cloud services that don't check whether subdomains have been modified could allow links that appear to be from "varonis.box.com" or "apple.zoom.us" — two examples used in an advisory from data-protection firm Varonis on Wednesday. In the case of Box.com, that could lead to a malicious document; in the case of Zoom, that could mean a webinar that collects information and is unrelated to the cited brand. The problems occurs when a cloud service allows a vanity subdomain, but does not validate the subdomain or use the subdomain to provide services.
Varonis notified Box.com and Zoom of the issue — along with Google, whose links to Google Docs could be spoofed — more than six months ago, and the problems are mostly fixed, the company stated. However, the problem likely exists for other services, says Or Emanuel, director of research and security for Varonis.
"We think it is more than just those three SaaS services," he says, adding that attackers can also use the predictability of the subdomains to select potential victims. "Because of the vanity URLs, it makes it very easy for threat actors to scan all the subdomains of all the big Fortune companies with different cloud providers," he says.
Hiding malicious code and phishing sites behind what appears to be well-known brands is a key way for attackers to fool victims into trusting fraudulent e-mail messages and links to websites. In 2019, for example, three-quarters of companies discovered that lookalike domains had been established by a third party using a non-.COM top-level domain. Because of the expansion of top-level domains, phishers and fraudsters have a broader selection of potential domains, while companies have to consider purchasing a broad swath of domains to adequately protect their intellectual property and brand.
Varonis's research examines the problem from the other direction. Rather than looking at the top-level domains, the company's researchers investigated ways of abusing the subdomains that many cloud service providers allow their customers to use.
"Not only do vanity URLs feel more professional, but they also provide a sense of security for end-users," Varonis stated in the advisory. "Most people are likelier to trust a link at varonis.box.com than a generic app.box.com link. However, if someone can spoof that subdomain, then trusting the vanity URL can backfire."
Social Engineering With Zoom
A software-as-a-service (SaaS) application is vulnerable to the attack when a customer is allowed to use their brand as the subdomain, such as varonis.zoom.us, but at the point where the link is sent to a third party — such as participants in a conference call or webinar — the subdomain is no longer checked. In the case of Zoom's service, attackers could create a webinar that asks registrants a variety of questions useful for social engineering, rebrand the webinar as a popular company, and then change the resulting URL to the targeted company's brand. The original domain — attacker.zoom.us, for example — could be changed to varonis.zoom.us without any impact on the functionality of the link.
A properly branded page could fool a victim into giving information, especially when the subdomain indicates the host is a well-known company. In the case of Box.com, a link such as app.box.com/f/abcd1234 could be changed to varonis.app.box.com/f/abcd1234 to appear to be an official form collecting information, but actually send the information to the attacker.
"The more interesting attacks from a data protection standpoint are when you have forms for registration or file-sharing requests," Emanuel says. "When the threat actor controls these pages, they can ask for any information they want, and it seems totally legit. It's really hard to determine that it's not a page that the company owns."
Such social engineering becomes useful in phishing attacks, as well as for convincing people to click on links or download untrusted files. In 2021, losses from cybercrime including phishing attacks reached nearly $7 billion, according to the FBI's annual Internet Crime Complaint Center (IC3) report. Phishing accounted for about 38% of the more than 847,000 crimes reported to the IC3.
Cloud providers should ensure that any customization of the URL is validated by the encoding in the link, Emanuel says. Box.com and Google have both fixed the issues, although the bugs still exist for Google Forms and Google Docs, when using the "Publish to the web" feature, according to Varonis. Zoom will warn users when the subdomain has been changed. “We have addressed this issue by warning users if they are being redirected to a different subdomain," a company spokesperson said.
In addition, users should always be skeptical of links, especially if the linked page requests too much information or leads to other links or files.
"We recommend educating your coworkers about the risk associated with clicking on such links and especially submitting PII and other sensitive information via forms, even if they appear to be hosted by your company’s sanctioned SaaS accounts," Varonis stated in the advisory.