• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   Current News   »   OAuth Phishing On The Rise

OAuth Phishing On The Rise

  • Posted on:May 3, 2017
  • Posted in:Current News
  • Posted by:
    Mark Nunnikhoven (Vice President, Cloud Research)
0

Recently there was a significant volume of new phishing emails aimed at capturing access to Google accounts…specifically your email and contacts. You can read more about it at The Verge, Quartz, and Ars Technica. This phish is a great—evil !?!—example of a sophisticated attempt to gain access to a large number of users’ accounts.

In this attack, the victim is sent an email with a legitimate looking “Open in Docs” button. This button is a completely legitimate link to Google’s OAuth service. The attacker has set up a malicious application that is designed to harvest access tokens to user accounts and spread the phishing attack to all of the user’s contacts.

Technique Gaining Ground

This technique is extremely clever because there’s no malicious payload in the email. The URL can’t be blocked because it’s a legitimate domain owned and controlled by Google. Defending against this attack relies entirely on the user.

Unlike a typical phishing attack where the goal is to compromise the user’s system, the goal here is to compromise their Google Account.

We’ve seen this technique used before by the group known as Pawn Storm. During that campaign, the attackers set up a malicious “Google Defender” application that promised to protect victims’ accounts…while doing quite the opposite!

While unrelated, the Pawn Storm attack used the same legitimate OAuth connection to exploit the users’ lack of knowledge of available services. When the attackers’ target is your Google Account, these attacks are extremely difficult to prevent and detect.

Connecting Accounts Can Be Risky

This most recent campaign hid itself as “Google Docs.” Most users are unaware that the real Google Docs and Google Drive don’t need OAuth access to your Google Account. As an integrated service, they use an alternative authorization mechanism (typically document by document or folder by folder) to request access.

You can read more about sharing these documents on the Google support site.

If you did authorize access to this account, you can remove the connection from your Google account with a couple simple clicks. Simply visit https://profiles.google.com/connectedaccounts, find the listing for “Google Docs,” and click the “Remove” button.

[ Update: Thankfully Google was on top of the situation and has now blocked this application so no new connections can be made. Existing connections should also be removed now, but you’ll want to check to make sure.]

While you’re on the page, you should review all of the other connections to your Google account. You might be surprised to find a number of older applications or other connections that you weren’t aware of. Third party account connections are a common attack vector that you can easily prevent by regularly reviewing them (that goes for your Facebook, Twitter and LinkedIn accounts as well).

User Education Is Critical

Phishing remains one of the top ways that attackers start their hacks. We continue to see new and innovative ways to trick users into taking actions that compromise their systems. When the attacker’s goal is a public account (like Google, Facebook, Twitter, and LinkedIn), leveraging legitimate techniques like OAuth allows them to circumvent common defences. This leaves you relying purely on user education to remain protected.

If you haven’t already added a discussion around linking accounts to 3rd parties into your security awareness training, now is the time. This isn’t the first, nor will it be the last, attack to take advantage of legitimate OAuth flows to compromise user accounts.

Sharing our approach to user education and awareness helps improve everyone’s security posture. Do you have a really good example or material that really resonates with users? Why not share it on Twitter? Reach out to me (@marknca) and I’ll help get the message out.

Related posts:

  1. “Operation Huyao” Shows New, More, Effective Phishing Technique
  2. When Phishing Starts from the Inside
  3. Phishing, Part 1: On the Lookout
  4. Flaws in OAuth, OpenID implementations reveal lack of incentives to improve Web Security

Security Intelligence Blog

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Ransomware is Still a Blight on Business
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • Not Just Good Security Products, But a Good Partner
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Ransomware Gang is Raking in Tens of Millions of Dollars and Microsoft Patch Tuesday Update Fixes 17 Critical Bugs
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • Twitter Hacked in Bitcoin Scam
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • The Sky Has Already Fallen (you just haven’t seen the alert yet)
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • Black Hat Trip Report – Trend Micro

Follow Us

Trend Micro In The News

  • Cloud-based Email Threats Capitalized on Chaos of COVID-19
  • Detected Cyber Threats Rose 20% to Exceed 62.6 Billion in 2020
  • Trend Micro Recognized on CRN Security 100 List
  • Trend Micro Reports Solid Results for Q4 and Fiscal Year 2020
  • Connected Cars Technology Vulnerable to Cyber Attacks
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.