Endpoint
5/4/2017
11:30 AM
Greg Martin
Greg Martin
Commentary
Connect Directly
Twitter
LinkedIn
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Why OAuth Phishing Poses A New Threat to Users

Credential phishing lets attackers gain back-end access to email accounts, and yesterday's Google Docs scam raises the risk to a new level.

It's no secret that phishing attacks pose a constant threat to businesses. But a new tactic, recently seen in the cyber espionage campaign targeting Emmanuel Macron's presidential campaign in France and the Google Docs phishing scam circulating on the web on May 3, raise this threat to a new level.

A recent report by Trend Micro found the group behind many of the attacks (known as Pawn Storm, Fancy Bear, or APT28) was using an innovative type of credential phishing technique that takes advantage of the Open Authentication (OAuth) standard to gain back-end access to user email accounts. In its various campaigns, the group has used a number of fake add-on offers (such as for Google Defender, Google Scanner, and McAfee Email Protection) for popular email services including Gmail and Yahoo, in order to trick users into granting persistent access to their accounts. In the May 3 attack, hackers created a fake Google Doc app that exploits this same vulnerability.

This is a significant improvement in the traditional phishing lure. Because "OAuth phishing" avoids the typical red flags users have grown accustomed to with email phishing (that is, unfamiliar or spoofed URL link, sign-in request, or attached file), it is likely to have a higher rate of success and may even confound more experienced and competent users, such as upper management and those who have undergone security awareness training.

Misplaced Trust
OAuth phishing exploits the trust relationship users have with well-known online service providers, as well as the trust relationship those providers have with their own third-party applications. By sending the target an OAuth permission request for an approved application, the attacker is able to bypass all of the traditional warning signs users have been trained to look for when opening emails. Therefore, the email redirects the user to a legitimate Web domain (example: accounts.google.com) that is hosted over an encrypted HTTPS connection. Additionally, there is no need for the user to enter a password because the app is using OAuth tokens instead.

Everything about this will look aboveboard to a person who doesn't have a background in security. Making matters worse, the attacker is able to maintain access to the user's email account even after multiple password resets, because the only way to expel him is to revoke access within the user's account settings.

There have been limited instances of OAuth phishing in the wild, outside of the Pawn Storm campaigns. However, this week’s Google Doc scam is a sign of things to come. Now that this advanced technique is becoming more widely understood, it is reasonable to assume that this tactic will be adopted by many other threat actors, because of the many advantages it offers the attacker.

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.

For instance, one can quickly see how this technique would benefit those criminal groups behind the many "business email compromise" scams now underway, to say nothing of corporate IP theft, government monitoring of human rights groups, social media scams, identity theft, celebrity targeting, and so on. It's also possible attackers could deliver these rogue applications via "watering hole" sites (blog posts, reviews, news media) instead of email, particularly if the app provides some legitimate function.

Although online service providers can help to curtail this threat by adding tougher standards to their approval processes for third-party applications, businesses and security professionals can't depend on an improved vetting process to entirely eliminate this new risk. Given the complexity of vetting third-party applications (After all, malicious mobile apps continue to find their way into official app stores, despite roughly nine years of screening improvements.), and the sheer number of online platforms that accept OAuth tokenization, ranging from email to social media, e-commerce, entertainment, file hosting, project management tools, etc., it is unrealistic to assume this problem can be contained at the vendor level.

For this reason, businesses need to become more proactive at training employees while also limiting their exposure to phishing-based attacks.

Here are a few steps businesses should take to contain the threat:

  • Incorporate OAuth phishing training into any/all security awareness programs.
  • Update corporate policies to restrict what types of third-party applications may be added to any online service or tool that is linked to the company's information, accounts or network (example: Google, Microsoft, Dropbox, Basecamp, GitHub). However, rather than providing high-level guidance on this, be extremely specific—include a list of pre-approved applications and deny all others not on the list.
  • Implement email whitelisting for executives and key employees.
  • Include OAuth request audits into any current employee email monitoring program.
  • Conduct regular audits of employees' work-related online accounts to check for rogue permission requests and purge any suspicious applications.
  • Require employees to use file encryption tools to protect sensitive corporate information that is sent or stored in email.
  • Establish a strong access control program, so that no single employee has too much access to corporate systems, accounts, data, or key personnel.
  • Segment the network sufficiently to limit the lateral spread of attacks.

OAuth phishing is likely to pose a long-term challenge to businesses, and as such it will require a more robust security program to contain the threats posed by these more-sophisticated phishing emails.

Related Content:

Greg Martin is CEO of JASK (jask.ai), a Silicon Valley-based cybersecurity startup that has developed a unique enterprise security platform to dramatically improve situational awareness of cyberthreats. Martin is a former cybersecurity technical advisor to the FBI and Secret ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JulietteRizkallah
50%
50%
JulietteRizkallah,
User Rank: Ninja
5/8/2017 | 3:59:43 PM
Good case for Identity governance
This seems like a good case for Idenity Governance to monitor and control access, certify access through regurlar campaigns, idenity rogue and orphan accounts and revoke compromised accounts when needed.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.