{"id":7522,"date":"2017-05-03T16:00:13","date_gmt":"2017-05-04T00:00:13","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/05\/03\/news-1307\/"},"modified":"2017-05-03T16:00:13","modified_gmt":"2017-05-04T00:00:13","slug":"news-1307","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/05\/03\/news-1307\/","title":{"rendered":"OAuth Phishing On The Rise"},"content":{"rendered":"

Credit to Author: Mark Nunnikhoven (Vice President, Cloud Research)| Date: Wed, 03 May 2017 22:59:29 +0000<\/strong><\/p>\n

\"\"<\/p>\n

Recently there was a significant volume of new phishing emails aimed at capturing access to Google accounts\u2026specifically your email and contacts. You can read more about it at<\/span> The Verge<\/span><\/a>,<\/span> Quartz<\/span><\/a>, and<\/span> Ars Technica<\/span><\/a>. This phish is a great\u2014evil !?!\u2014example of a sophisticated attempt to gain access to a large number of users accounts.<\/span><\/p>\n

In this attack, the victim is sent an email with a legitimate looking \u201cOpen in Docs\u201d button. This button is a completely legitimate link to Google\u2019s OAuth service. The attacker has set up a malicious application that is designed to harvest access tokens to user accounts and spread the phishing attack to all of the user\u2019s contacts.<\/span><\/p>\n

Technique Gaining Ground<\/b><\/h2>\n

This technique is extremely clever because there\u2019s no malicious payload in the email. The URL can\u2019t be blocked because it\u2019s a legitimate domain owned and controlled by Google. Defending against this attack relies entirely on the user.<\/span><\/p>\n

Unlike a typically phishing attack where the goal is to compromise the user’s system. The goal here is to compromise their Google Account.<\/p>\n

We\u2019ve seen this technique used before by the group known as<\/span> Pawn Storm<\/span><\/a>. During that campaign, the attackers set up a malicious \u201cGoogle Defender\u201d application that promised to protect victim\u2019s accounts\u2026while doing quite the opposite!<\/span><\/p>\n

While unrelated, the Pawn Storm attack used the same legitimate OAuth connection to exploit the users lack of knowledge of available services. When the attackers target is your Google Account, these attacks are extremely difficult to prevent and detect.<\/span><\/p>\n

Connecting Accounts Can Be Risky<\/b><\/h2>\n

This most recent campaign hid itself as \u201cGoogle Docs.\u201d Most users are unaware that the real Google Docs and Google Drive don\u2019t need OAuth access to your Google Account. As an integrated service, they use an alternative authorization mechanism (typically document by document or folder by folder) to request access.<\/span><\/p>\n

You can<\/span> read more about sharing these documents<\/span><\/a> on the Google support site.<\/span><\/p>\n

If you did authorize access to this account, you can remove the connection from your Google account with a couple simple clicks. Simply visit<\/span> https:\/\/profiles.google.com\/connectedaccounts<\/span><\/a>, find the listing for \u201cGoogle Docs,\u201d and click the \u201cRemove\u201d button.<\/span><\/p>\n

[ <\/span>Update:<\/i><\/strong> Thankfully Google was on top of the situation and has now blocked this application so no new connections can be made. Existing connections should also be removed now, but you\u2019ll want to check to make sure.]<\/span><\/p>\n

While you\u2019re on the page, you should review all of the other connections to your Google account. You might be surprised to find a number of older applications or other connections that you weren\u2019t aware of.<\/span> Third party account connections<\/span><\/a> are a common attack vector that you can easily prevent by regularly reviewing them (that goes for your<\/span> Facebook<\/span><\/a>,<\/span> Twitter<\/span><\/a> and<\/span> LinkedIn<\/span><\/a> accounts as well).<\/span><\/p>\n

User Education Is Critical<\/b><\/h2>\n

Phishing remains one of the top ways that attackers start their hacks. We continue to see new and innovative ways to trick users into taking actions that compromise their systems.When the attacker\u2019s goal is a public account (like Google, Facebook, Twitter, and LinkedIn), leveraging legitimate techniques like OAuth allows them to circumvent common defences. This leaves you relying purely on user education to remain protected.<\/span><\/p>\n

If you haven\u2019t already added a discussion around linking accounts to 3rd parties into your security awareness training, now is the time. This isn\u2019t the first, nor will it be the last, attack to take advantage of legitimate OAuth flows to compromise user accounts.<\/span><\/p>\n

Sharing our approach to user education and awareness helps improve everyone\u2019s security posture. Do you have a really good example or material that really resonates with users? Why not share it on Twitter? Reach out to me (<\/span>@marknca<\/span><\/a>) and I\u2019ll help get the message out.<\/span><\/p>\n

http:\/\/feeds.trendmicro.com\/TrendMicroSimplySecurity<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: Mark Nunnikhoven (Vice President, Cloud Research)| Date: Wed, 03 May 2017 22:59:29 +0000<\/strong><\/p>\n

\"\"Recently there was a significant volume of new phishing emails aimed at capturing access to Google accounts\u2026specifically your email and contacts. You can read more about it at The Verge, Quartz, and Ars Technica. This phish is a great\u2014evil !?!\u2014example of a sophisticated attempt to gain access to a large number of users accounts. In…<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10413],"tags":[10422,4503,3924],"class_list":["post-7522","post","type-post","status-publish","format-standard","hentry","category-security","category-trendmicro","tag-current-news","tag-cybercrime","tag-phishing"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7522","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=7522"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7522\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=7522"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=7522"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=7522"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}