Why OAuth Phishing Poses A New Threat to UsersCredential phishing lets attackers gain back-end access to email accounts, and yesterday's Google Docs scam raises the risk to a new level.
It's no secret that phishing attacks pose a constant threat to businesses. But a new tactic, recently seen in the cyber espionage campaign targeting Emmanuel Macron's presidential campaign in France and the Google Docs phishing scam circulating on the web on May 3, raise this threat to a new level.
A recent report by Trend Micro found the group behind many of the attacks (known as Pawn Storm, Fancy Bear, or APT28) was using an innovative type of credential phishing technique that takes advantage of the Open Authentication (OAuth) standard to gain back-end access to user email accounts. In its various campaigns, the group has used a number of fake add-on offers (such as for Google Defender, Google Scanner, and McAfee Email Protection) for popular email services including Gmail and Yahoo, in order to trick users into granting persistent access to their accounts. In the May 3 attack, hackers created a fake Google Doc app that exploits this same vulnerability.
This is a significant improvement in the traditional phishing lure. Because "OAuth phishing" avoids the typical red flags users have grown accustomed to with email phishing (that is, unfamiliar or spoofed URL link, sign-in request, or attached file), it is likely to have a higher rate of success and may even confound more experienced and competent users, such as upper management and those who have undergone security awareness training.
OAuth phishing exploits the trust relationship users have with well-known online service providers, as well as the trust relationship those providers have with their own third-party applications. By sending the target an OAuth permission request for an approved application, the attacker is able to bypass all of the traditional warning signs users have been trained to look for when opening emails. Therefore, the email redirects the user to a legitimate Web domain (example: accounts.google.com) that is hosted over an encrypted HTTPS connection. Additionally, there is no need for the user to enter a password because the app is using OAuth tokens instead.
Everything about this will look aboveboard to a person who doesn't have a background in security. Making matters worse, the attacker is able to maintain access to the user's email account even after multiple password resets, because the only way to expel him is to revoke access within the user's account settings.
There have been limited instances of OAuth phishing in the wild, outside of the Pawn Storm campaigns. However, this week’s Google Doc scam is a sign of things to come. Now that this advanced technique is becoming more widely understood, it is reasonable to assume that this tactic will be adopted by many other threat actors, because of the many advantages it offers the attacker.
[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.
For instance, one can quickly see how this technique would benefit those criminal groups behind the many "business email compromise" scams now underway, to say nothing of corporate IP theft, government monitoring of human rights groups, social media scams, identity theft, celebrity targeting, and so on. It's also possible attackers could deliver these rogue applications via "watering hole" sites (blog posts, reviews, news media) instead of email, particularly if the app provides some legitimate function.
Although online service providers can help to curtail this threat by adding tougher standards to their approval processes for third-party applications, businesses and security professionals can't depend on an improved vetting process to entirely eliminate this new risk. Given the complexity of vetting third-party applications (After all, malicious mobile apps continue to find their way into official app stores, despite roughly nine years of screening improvements.), and the sheer number of online platforms that accept OAuth tokenization, ranging from email to social media, e-commerce, entertainment, file hosting, project management tools, etc., it is unrealistic to assume this problem can be contained at the vendor level.
For this reason, businesses need to become more proactive at training employees while also limiting their exposure to phishing-based attacks.
Here are a few steps businesses should take to contain the threat:
- Incorporate OAuth phishing training into any/all security awareness programs.
- Update corporate policies to restrict what types of third-party applications may be added to any online service or tool that is linked to the company's information, accounts or network (example: Google, Microsoft, Dropbox, Basecamp, GitHub). However, rather than providing high-level guidance on this, be extremely specific—include a list of pre-approved applications and deny all others not on the list.
- Implement email whitelisting for executives and key employees.
- Include OAuth request audits into any current employee email monitoring program.
- Conduct regular audits of employees' work-related online accounts to check for rogue permission requests and purge any suspicious applications.
- Require employees to use file encryption tools to protect sensitive corporate information that is sent or stored in email.
- Establish a strong access control program, so that no single employee has too much access to corporate systems, accounts, data, or key personnel.
- Segment the network sufficiently to limit the lateral spread of attacks.
OAuth phishing is likely to pose a long-term challenge to businesses, and as such it will require a more robust security program to contain the threats posed by these more-sophisticated phishing emails.
Greg Martin is CEO of JASK (jask.ai), a Silicon Valley-based cybersecurity startup that has developed a unique enterprise security platform to dramatically improve situational awareness of cyberthreats. Martin is a former cybersecurity technical advisor to the FBI and Secret ... View Full Bio