<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1626328370711236&amp;ev=PageView&amp;noscript=1">
Blog-Hero.jpg

blog

Increasingly Clever Phishing Attacks like OAuth Are The New Normal

May 4, 2017 05:53:20 PM

googlelogin.png

In the past, an attacker looking to steal credentials would craft a convincing email and landing page that did not trigger any red flags to the user. Attackers could be certain that at least 11% of people, even those who’d had phishing awareness training, would click malicious email links. Looking to up this percentage, attackers have evolved phishing exploits to use novel techniques, and OAuth is an important part of this evolution. This new approach is making it more challenging than ever for users to know when it is safe to click.

What is OAuth (Open Authorization)

OAuth is a way for third-party applications to access one’s information on sites like Google, Facebook, Twitter etc., without the user providing his/her password to the third party website. 

How does OAuth work?

Assume that a third party application, e.g. EvilPhish, wants to connect to Gmail to access your contacts. The following are the sequence of steps that take place for the authentication to be successful:

1. EvilPhish first requests the user, if it can access his/her user account on Gmail
2. If the user consents to EvilPhishs request, Gmail grants EvilPhish a token
3. With the token, EvilPhish is able to connect to Gmail and access the users’ contacts

OAuth and the Google Docs Phishing Attack

The recent Google Docs phishing campaign leveraged OAuth with the following workflow:

1. The victim would receive an email with a link in the body, that would look like the figure below:

Acme Hun-1.png
2. The underlying link looks like the link in the image below, where the highlighted part is the malicious URL

maliciouscodevisualgoogleattack.png
3. Clicking on the link, the user ends up at a Google page that asks the user if he/she wants to “Allow” or “Deny” access to the third party application.

4. If the user clicks Allow, he/she is redirected to the malicious website, which also provides the third party app the following permissions

  • Read
  • Send
  • Delete
  • Manage Email

While these permissions look suspicious, what makes this phish particularly convincing is the following:

1. The third party application is called “Google Docs”
2. There are no landing pages that prompt the user to enter their credentials
3. The attack relies completely on Google's standard workflow for granting third party apps permission
4. The email is initiated by someone in your contact list

Have you granted access to this app?

If you have granted access to this app, please note that Google worked very quickly to remediate this campaign. They have not only taken down the malicious URLs, but also revoked permissions to this app from all the accounts.

What do I do to be more secure?

The following are some steps that you as a user can take to protect yourself from OAuth specific phishing attacks

1. Review any third party apps that have access to your Gmail and other accounts
2. Third party applications request permissions to access a user’s data. The user must review these permissions carefully and allow or deny access to the app requesting access.
3. The user should review the information about the developer of the app and the url to which the user gets redirected to, to see if something is off. For instance, one of the redirect urls in this phishing attack is, hxxps://googledocs.gdocs.download/g.php. It is easy to note that the URL is trying to impersonate a google docs page.

For more information about spear-phishing attacks, download our report.

download report

 

Greg Maudsley
Written by Greg Maudsley

Connect with us

Lists by Topic

see all