Anurag Kahol, CTO at Bitglass looks at how the Google Docs attack was just the beginning of a new phase of phishing focused on the cloud.
The means by which hackers access user information have quickly evolved beyond traditional phishing emails. Phishing has always had the aim of baiting users to take an action or share a piece of sensitive information by appearing as a non-threat – but awareness has since grown. And so, traditional phishing techniques are being reshaped to include new vectors of attack such as spoofed cloud applications. These cloud-phishing attacks are far harder to detect and companies must adjust their security posture to compensate.
Phishing has evolved from a mundane threat to real danger
Traditional phishing was rather simplistic in execution and relied on the user’s lack of knowledge. For example, social engineering driven by phone calls and emails wherein malicious actors would pose as government agents or corporate customer service representatives. Many targets of these attacks would readily provide personal information to avoid the threat of legal action, penalties and account shutdowns.
There are two key reasons why traditional attacks have become less effective: advances in detection and the increase in awareness among the average user. On the detection front, major email providers have become much better at alerting users when a message is deemed suspicious or the source domain is not as it seems. On the user side, people are much more aware of what to look for in a traditional phishing attack, including bad spelling and grammar and strange email addresses.
Unprompted password reset emails, while once effective, no longer drive the same volume of user action and are often detected by spam filters. This has forced phishers to think outside the box and come up with much more sophisticated phishing techniques. Alongside this trend, the end goal of phishing attacks has also moved from simply trying to get financial or personal information out of a person, to now focusing much more on tricking users into disclosing valid credentials or granting access to accounts.
Anatomy of a modern phishing attack
The widely publicised Gmail phishing scam earlier this year is just one example of a modern phishing attack that affected users on a large scale. In this case, users were sent an email that appeared legitimate and directed them to an actual Google page. While most phishing scams rely on sending users to a malicious domain, this particular attack simply asked unsuspecting individuals to grant access permissions via Google to a malicious application. Hackers could then use this permission to see victims’ contacts, read their emails, have insight into the users’ locations, and see files created in G Suite.
The attack took advantage of the OAuth protocol, which Google uses to streamline authentication. Unlike traditional attacks, where the user would be sent to a spoofed website and asked enter login information, the hackers knew that with OAuth in place, the user could grant them access to their personal information without even needing to re-enter their login details. The existence of such protocols makes it easier for users to allow access to third party applications, but in turn, makes it easier for hackers to also get access without needing the credentials themselves.
The Gmail phishing attack shows us just how advanced these techniques have become – it was difficult for a user to detect and difficult for Google to prevent. A critical takeaway is that the attack was able to clear the psychological trust hurdle. Users were tricked into giving permissions to a third party application because they trusted it; they believed the application to be a Google-approved service. A very small change in how the application domain was disguised successfully convinced users that the application was trustworthy.
The future of phishing
Modern phishing attacks are very well targeted, can be difficult to detect, and aim to grant malicious individuals broad permissions over user data, user devices, and online services. The days of basic phishing schemes have more or less passed. Attacks now rely on advanced forms of infiltration that better disguise malicious intent.
Computer-savvy individuals rarely fall foul of traditional phishing scams because they know how to detect malicious looking websites and badly written emails. Now, attackers are casting their phishing nets over a far broader swath of the population. In the Gmail attack, for example, professionals were willing to authenticate the third party application, even though they are likely well aware of what traditional phishing emails look like. More people are vulnerable to attacks that obfuscate their intention.
This is the future of phishing. Hackers continue to play on trust by creating malicious applications that masquerade as known apps, which users download and use. The ability to spoof cloud apps while masking the true identity of the sender in order to capture personal information is an alarming trend given the rapid increase of cloud adoption around the world. No doubt the current means of phishing user credentials will continue, and evolve. For example, trusted Wi-Fi hotspots are just one of many vectors of attack wherein individuals input their credentials and expect a secure service.
Preventing the next attack
Cloud service providers have already implemented a number of security features to proactively identify phishing attacks. Machine learning, improved email filtering, and malicious URL detection are just a handful of capabilities that keep users safe on the web. Some providers even warn users when replying to emails outside of their corporate domains, which is particularly important in an enterprise setting.
While cloud providers, as in the Gmail case, are quick to recognise large scale attacks and inform the public about the right precautions to take when opening shared files, many individuals and organisations are still subject to costly breaches brought about by phishing. Updating education around what to look for in these new-style attacks will continue to go a long way in protecting data. Organisations must also take a proactive approach to detecting cloud-phishing threats as they evolve.