Phishing (i.e., fake, malicious email) doesn’t always get a lot of respect. At a time when the world is focused on “zero days,” cyber “weapons” and “kinetic” cyber attacks on the power grid, the very concept of phishing emails seems decidedly old-fashioned, almost second-rate.
In reality, however, phishing continues to pose one of the top threats to businesses and consumers the world over.
And it’s about to get even worse.
On May 3, one million Gmail users were hit by a fake Google Docs share request from one of their contacts. On the surface, this might sound like just another phishing email, no big deal. In reality, this scam reflects a sophisticated new tactic now in use by criminal hackers that will have major repercussions for businesses the world over. In fact, it’s a technique that has already been perfected by the notorious Russian hacker group known as “Pawn Storm” (aka “Fancy Bear” or “APT28”), which has been accused of breaching the Democratic National Committee, the Hillary Clinton campaign and other high-profile targets.
Here is a quick rundown on what every business owner needs to know.
What makes this email scam significant?
The attack, called “OAuth phishing,” is a potential game-changer for phishing attacks because it is tough to detect, hard to fix and easy for hackers to hijack online accounts.
It exploits a serious weakness in the internet standard known as Open Authorization, or OAuth, which is relied upon by many of the world’s top online service providers, including Google, Microsoft, Yahoo, Twitter, Facebook, etc. Because of this, even if companies try to block specific attacks that exploit the OAuth privilege -- like Google did with the May 3 Google Docs scam -- it doesn’t really fix the overall problem, and similar attacks can resurface over and over again.
Cybercriminals will use OAuth phishing to takeover employee email accounts and then spread to other accounts, such as banking, accounting/payroll systems, cloud storage, client network logins, etc. Even if the victim resets the password, the hacker will be able to stay inside the account. The hacker can also bypass two-factor authentication protections.
Businesses should expect to see a wave of OAuth phishing attacks in the coming months and years.
What is OAuth?
Without getting too technical, OAuth is a way for Internet users to add third-party apps to existing online services (like Google, Facebook and Twitter) without having to share a password. In place of this password, the user agrees to the app’s permission request(s), which then gives it an OAuth token it can use to access all or parts of the user’s account.
Here are some examples of these OAuth permissions with popular services.
What happened with this attack?
The problem with OAuth is that it’s not always easy for a service provider to tell if the apps within its ecosystem are 100 percent legitimate and safe. Therein lies the problem, because if a hacker can trick Google, Yahoo, Facebook, Twitter or other services into accepting a malicious app, he can exploit this trust relationship and hijack personal accounts.
This is the essence of OAuth phishing -- tricking a service provider into accepting an app, then persuading Joe Schmo consumer to grant it account access.
The way this is likely to work is the hacker will send a fake email notice in the form of a security alert, account update or new service offering, that purportedly comes from one of the above-listed service providers. If the user clicks to accept this request, he or she will then be redirected to the service provider’s actual website (such as accounts.google.com or api.login.yahoo.com) to complete the authorization process. Notice how this is different from a traditional phishing scheme: Instead of being redirected to a fake URL, the victim is sent to a real website where the attack takes place. This makes it hard for average people to realize they’re being scammed. (To better understand what these requests look like, see these write-ups by Trend Micro and CSO.)
Once an individual has accepted the permission requests of a malicious app, the hacker is inside that account and will likely have full control. Since the OAuth token bypasses the need for a password, resetting the password after falling for this type of phishing email won’t do any good. The person will have to go into their account settings and manually revoke access for the app -- but by that point it may be too late.
Here are a few tip-offs it’s a hack.
Although this is a sophisticated attack, there are three types of tell-tale signs to look for.
This first is a suspicious email address. Look to see if the sender’s email points to an unfamiliar domain. The key is to look at what comes after the @ symbol. For example, one impostor Google app used “firstname.lastname@example.org.” However, hackers are also able to spoof emails so that they appear to come from a corporation, such as “email@example.com.” Check the full email header to be sure it’s real. Hackers could make other slip-ups too. For example, in the Google Docs scam hackers inserted “firstname.lastname@example.org” into the “To” field, and BCC’ed the actual person receiving the email, both of which should have been dead give-aways.
Next, inspect the language used in the email notice. Are there any spelling or grammatical errors? Does it sound like it was written by a non-native English speaker?
Lastly, how much access is the app requesting? A legitimate app will seek some access, like the user’s contacts or email address, but if it’s asking for “full access” or administrative rights to the account (ex: “view and manage your email”) that should raise alarms. One good thing about OAuth attacks is that the hacker can’t hide the permission requests; this gives the user one last chance to hit the brakes before it’s too late.
Related: The Worst Hacks of 2017 -- So Far
How can businesses control the damage?
No business is able to prevent phishing attacks every single time, particularly when they are as advanced as the OAuth attack. It’s therefore critical to have a good incident response plan, in addition to preventive security like firewalls, antivirus and email whitelisting.
If an employee falls victim to an OAuth attack, the company should immediately revoke access for that fake app and check to see if the hacker was able to leverage it to get into any other accounts. Check every single account linked to the compromised email and revoke any permission requests, reset passwords and monitor the accounts closely for months afterward. Conduct a thorough examination of the affected employee’s devices to see if malware or remote access tools were installed. Finally, check to see if phishing emails were sent to other employees via the hacked email account.
Businesses also need to prevent a single employee from having too much access to sensitive information, accounts or systems. Segment the network as well to prevent a hacker or malware from spreading throughout a company after one employee is breached. Both of these measures will limit the potential fallout of any successful attack.
Phishing attacks will continue to evolve over the coming years, so businesses have to develop a defense-in-depth approach that focuses equally on prevention and containment.