In the past, an attacker looking to steal credentials would craft a convincing email and landing page that did not trigger any red flags to the user. Attackers could be certain that at least 11% of people, even those who’d had phishing awareness training, would click malicious email links. Looking to up this percentage, attackers have evolved phishing exploits to use novel techniques, and OAuth is an important part of this evolution. This new approach is making it more challenging than ever for users to know when it is safe to click.What is OAuth (Open Authorization)
OAuth is a way for third-party applications to access one’s information on sites like Google, Facebook, Twitter etc., without the user providing his/her password to the third party website.
How does OAuth work?
Assume that a third party application, e.g. EvilPhish, wants to connect to Gmail to access your contacts. The following are the sequence of steps that take place for the authentication to be successful:1. EvilPhish first requests the user, if it can access his/her user account on Gmail
2. If the user consents to EvilPhishs request, Gmail grants EvilPhish a token
3. With the token, EvilPhish is able to connect to Gmail and access the users’ contacts
OAuth and the Google Docs Phishing Attack
The recent Google Docs phishing campaign leveraged OAuth with the following workflow:
1. The victim would receive an email with a link in the body, that would look like the figure below:
2. The underlying link looks like the link in the image below, where the highlighted part is the malicious URL
3. Clicking on the link, the user ends up at a Google page that asks the user if he/she wants to “Allow” or “Deny” access to the third party application.
4. If the user clicks Allow, he/she is redirected to the malicious website, which also provides the third party app the following permissions
- Manage Email
While these permissions look suspicious, what makes this phish particularly convincing is the following:1. The third party application is called “Google Docs”
2. There are no landing pages that prompt the user to enter their credentials
3. The attack relies completely on Google's standard workflow for granting third party apps permission
4. The email is initiated by someone in your contact list
Have you granted access to this app?
If you have granted access to this app, please note that Google worked very quickly to remediate this campaign. They have not only taken down the malicious URLs, but also revoked permissions to this app from all the accounts.
What do I do to be more secure?
The following are some steps that you as a user can take to protect yourself from OAuth specific phishing attacks1. Review any third party apps that have access to your Gmail and other accounts
2. Third party applications request permissions to access a user’s data. The user must review these permissions carefully and allow or deny access to the app requesting access.
3. The user should review the information about the developer of the app and the url to which the user gets redirected to, to see if something is off. For instance, one of the redirect urls in this phishing attack is, hxxps://googledocs.gdocs.download/g.php. It is easy to note that the URL is trying to impersonate a google docs page.
For more information about spear-phishing attacks, download our report.