Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

5/4/2017
11:30 AM
Greg Martin
Greg Martin
Commentary
Connect Directly
Twitter
LinkedIn
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Why OAuth Phishing Poses A New Threat to Users

Credential phishing lets attackers gain back-end access to email accounts, and yesterday's Google Docs scam raises the risk to a new level.

It's no secret that phishing attacks pose a constant threat to businesses. But a new tactic, recently seen in the cyber espionage campaign targeting Emmanuel Macron's presidential campaign in France and the Google Docs phishing scam circulating on the web on May 3, raise this threat to a new level.

A recent report by Trend Micro found the group behind many of the attacks (known as Pawn Storm, Fancy Bear, or APT28) was using an innovative type of credential phishing technique that takes advantage of the Open Authentication (OAuth) standard to gain back-end access to user email accounts. In its various campaigns, the group has used a number of fake add-on offers (such as for Google Defender, Google Scanner, and McAfee Email Protection) for popular email services including Gmail and Yahoo, in order to trick users into granting persistent access to their accounts. In the May 3 attack, hackers created a fake Google Doc app that exploits this same vulnerability.

This is a significant improvement in the traditional phishing lure. Because "OAuth phishing" avoids the typical red flags users have grown accustomed to with email phishing (that is, unfamiliar or spoofed URL link, sign-in request, or attached file), it is likely to have a higher rate of success and may even confound more experienced and competent users, such as upper management and those who have undergone security awareness training.

Misplaced Trust
OAuth phishing exploits the trust relationship users have with well-known online service providers, as well as the trust relationship those providers have with their own third-party applications. By sending the target an OAuth permission request for an approved application, the attacker is able to bypass all of the traditional warning signs users have been trained to look for when opening emails. Therefore, the email redirects the user to a legitimate Web domain (example: accounts.google.com) that is hosted over an encrypted HTTPS connection. Additionally, there is no need for the user to enter a password because the app is using OAuth tokens instead.

Everything about this will look aboveboard to a person who doesn't have a background in security. Making matters worse, the attacker is able to maintain access to the user's email account even after multiple password resets, because the only way to expel him is to revoke access within the user's account settings.

There have been limited instances of OAuth phishing in the wild, outside of the Pawn Storm campaigns. However, this week’s Google Doc scam is a sign of things to come. Now that this advanced technique is becoming more widely understood, it is reasonable to assume that this tactic will be adopted by many other threat actors, because of the many advantages it offers the attacker.

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.

For instance, one can quickly see how this technique would benefit those criminal groups behind the many "business email compromise" scams now underway, to say nothing of corporate IP theft, government monitoring of human rights groups, social media scams, identity theft, celebrity targeting, and so on. It's also possible attackers could deliver these rogue applications via "watering hole" sites (blog posts, reviews, news media) instead of email, particularly if the app provides some legitimate function.

Although online service providers can help to curtail this threat by adding tougher standards to their approval processes for third-party applications, businesses and security professionals can't depend on an improved vetting process to entirely eliminate this new risk. Given the complexity of vetting third-party applications (After all, malicious mobile apps continue to find their way into official app stores, despite roughly nine years of screening improvements.), and the sheer number of online platforms that accept OAuth tokenization, ranging from email to social media, e-commerce, entertainment, file hosting, project management tools, etc., it is unrealistic to assume this problem can be contained at the vendor level.

For this reason, businesses need to become more proactive at training employees while also limiting their exposure to phishing-based attacks.

Here are a few steps businesses should take to contain the threat:

  • Incorporate OAuth phishing training into any/all security awareness programs.
  • Update corporate policies to restrict what types of third-party applications may be added to any online service or tool that is linked to the company's information, accounts or network (example: Google, Microsoft, Dropbox, Basecamp, GitHub). However, rather than providing high-level guidance on this, be extremely specific—include a list of pre-approved applications and deny all others not on the list.
  • Implement email whitelisting for executives and key employees.
  • Include OAuth request audits into any current employee email monitoring program.
  • Conduct regular audits of employees' work-related online accounts to check for rogue permission requests and purge any suspicious applications.
  • Require employees to use file encryption tools to protect sensitive corporate information that is sent or stored in email.
  • Establish a strong access control program, so that no single employee has too much access to corporate systems, accounts, data, or key personnel.
  • Segment the network sufficiently to limit the lateral spread of attacks.

OAuth phishing is likely to pose a long-term challenge to businesses, and as such it will require a more robust security program to contain the threats posed by these more-sophisticated phishing emails.

Related Content:

Greg Martin is CEO of JASK (jask.ai), a Silicon Valley-based cybersecurity startup that has developed a unique enterprise security platform to dramatically improve situational awareness of cyberthreats. Martin is a former cybersecurity technical advisor to the FBI and Secret ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JulietteRizkallah
50%
50%
JulietteRizkallah,
User Rank: Ninja
5/8/2017 | 3:59:43 PM
Good case for Identity governance
This seems like a good case for Idenity Governance to monitor and control access, certify access through regurlar campaigns, idenity rogue and orphan accounts and revoke compromised accounts when needed.
Cloud Security Threats for 2021
Or Azarzar, CTO & Co-Founder of Lightspin,  12/3/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Assessing Cybersecurity Risk in Todays Enterprises
Assessing Cybersecurity Risk in Todays Enterprises
COVID-19 has created a new IT paradigm in the enterprise and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27772
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in coders/bmp.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned int`. This would most likely lead to an impact to application availability, but could po...
CVE-2020-27773
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/gem-private.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned char` or division by zero. This would most likely lead to an impact to appli...
CVE-2020-28950
PUBLISHED: 2020-12-04
The installer of Kaspersky Anti-Ransomware Tool (KART) prior to KART 4.0 Patch C was vulnerable to a DLL hijacking attack that allowed an attacker to elevate privileges during installation process.
CVE-2020-27774
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/statistic.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of a too large shift for 64-bit type `ssize_t`. This would most likely lead to an impact to application availability, but co...
CVE-2020-27775
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/quantum.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type unsigned char. This would most likely lead to an impact to application availability, but c...