Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

5/4/2017
11:30 AM
Greg Martin
Greg Martin
Commentary
Connect Directly
Twitter
LinkedIn
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Why OAuth Phishing Poses A New Threat to Users

Credential phishing lets attackers gain back-end access to email accounts, and yesterday's Google Docs scam raises the risk to a new level.

It's no secret that phishing attacks pose a constant threat to businesses. But a new tactic, recently seen in the cyber espionage campaign targeting Emmanuel Macron's presidential campaign in France and the Google Docs phishing scam circulating on the web on May 3, raise this threat to a new level.

A recent report by Trend Micro found the group behind many of the attacks (known as Pawn Storm, Fancy Bear, or APT28) was using an innovative type of credential phishing technique that takes advantage of the Open Authentication (OAuth) standard to gain back-end access to user email accounts. In its various campaigns, the group has used a number of fake add-on offers (such as for Google Defender, Google Scanner, and McAfee Email Protection) for popular email services including Gmail and Yahoo, in order to trick users into granting persistent access to their accounts. In the May 3 attack, hackers created a fake Google Doc app that exploits this same vulnerability.

This is a significant improvement in the traditional phishing lure. Because "OAuth phishing" avoids the typical red flags users have grown accustomed to with email phishing (that is, unfamiliar or spoofed URL link, sign-in request, or attached file), it is likely to have a higher rate of success and may even confound more experienced and competent users, such as upper management and those who have undergone security awareness training.

Misplaced Trust
OAuth phishing exploits the trust relationship users have with well-known online service providers, as well as the trust relationship those providers have with their own third-party applications. By sending the target an OAuth permission request for an approved application, the attacker is able to bypass all of the traditional warning signs users have been trained to look for when opening emails. Therefore, the email redirects the user to a legitimate Web domain (example: accounts.google.com) that is hosted over an encrypted HTTPS connection. Additionally, there is no need for the user to enter a password because the app is using OAuth tokens instead.

Everything about this will look aboveboard to a person who doesn't have a background in security. Making matters worse, the attacker is able to maintain access to the user's email account even after multiple password resets, because the only way to expel him is to revoke access within the user's account settings.

There have been limited instances of OAuth phishing in the wild, outside of the Pawn Storm campaigns. However, this week’s Google Doc scam is a sign of things to come. Now that this advanced technique is becoming more widely understood, it is reasonable to assume that this tactic will be adopted by many other threat actors, because of the many advantages it offers the attacker.

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.

For instance, one can quickly see how this technique would benefit those criminal groups behind the many "business email compromise" scams now underway, to say nothing of corporate IP theft, government monitoring of human rights groups, social media scams, identity theft, celebrity targeting, and so on. It's also possible attackers could deliver these rogue applications via "watering hole" sites (blog posts, reviews, news media) instead of email, particularly if the app provides some legitimate function.

Although online service providers can help to curtail this threat by adding tougher standards to their approval processes for third-party applications, businesses and security professionals can't depend on an improved vetting process to entirely eliminate this new risk. Given the complexity of vetting third-party applications (After all, malicious mobile apps continue to find their way into official app stores, despite roughly nine years of screening improvements.), and the sheer number of online platforms that accept OAuth tokenization, ranging from email to social media, e-commerce, entertainment, file hosting, project management tools, etc., it is unrealistic to assume this problem can be contained at the vendor level.

For this reason, businesses need to become more proactive at training employees while also limiting their exposure to phishing-based attacks.

Here are a few steps businesses should take to contain the threat:

  • Incorporate OAuth phishing training into any/all security awareness programs.
  • Update corporate policies to restrict what types of third-party applications may be added to any online service or tool that is linked to the company's information, accounts or network (example: Google, Microsoft, Dropbox, Basecamp, GitHub). However, rather than providing high-level guidance on this, be extremely specific—include a list of pre-approved applications and deny all others not on the list.
  • Implement email whitelisting for executives and key employees.
  • Include OAuth request audits into any current employee email monitoring program.
  • Conduct regular audits of employees' work-related online accounts to check for rogue permission requests and purge any suspicious applications.
  • Require employees to use file encryption tools to protect sensitive corporate information that is sent or stored in email.
  • Establish a strong access control program, so that no single employee has too much access to corporate systems, accounts, data, or key personnel.
  • Segment the network sufficiently to limit the lateral spread of attacks.

OAuth phishing is likely to pose a long-term challenge to businesses, and as such it will require a more robust security program to contain the threats posed by these more-sophisticated phishing emails.

Related Content:

Greg Martin is CEO of JASK (jask.ai), a Silicon Valley-based cybersecurity startup that has developed a unique enterprise security platform to dramatically improve situational awareness of cyberthreats. Martin is a former cybersecurity technical advisor to the FBI and Secret ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JulietteRizkallah
50%
50%
JulietteRizkallah,
User Rank: Ninja
5/8/2017 | 3:59:43 PM
Good case for Identity governance
This seems like a good case for Idenity Governance to monitor and control access, certify access through regurlar campaigns, idenity rogue and orphan accounts and revoke compromised accounts when needed.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Latest Comment: Exactly
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11856
PUBLISHED: 2020-09-22
Arbitrary code execution vulnerability on Micro Focus Operation Bridge Reporter, affecting version 10.40 and earlier. The vulnerability could allow remote attackers to execute arbitrary code on affected installations of OBR.
CVE-2020-16202
PUBLISHED: 2020-09-22
WebAccess Node (All versions prior to 9.0.1) has incorrect permissions set for resources used by specific services, which may allow code execution with system privileges.
CVE-2020-24333
PUBLISHED: 2020-09-22
A vulnerability in Arista’s CloudVision Portal (CVP) prior to 2020.2 allows users with “read-only� or greater access rights to the Configlet Management module to download files not intended for access, located on the CVP server, by accessing ...
CVE-2020-4619
PUBLISHED: 2020-09-22
IBM Data Risk Manager (iDNA) 2.0.6 stores user credentials in plain in clear text which can be read by an authenticated user. IBM X-Force ID: 184976.
CVE-2020-4620
PUBLISHED: 2020-09-22
IBM Data Risk Manager (iDNA) 2.0.6 could allow a remote authenticated attacker to upload arbitrary files, caused by the improper validation of file extensions. By sending a specially-crafted HTTP request, a remote attacker could exploit this vulnerability to upload a malicious file, which could allo...