• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Targeted Attacks   »   Pawn Storm Abuses Open Authentication in Advanced Social Engineering Attacks

Pawn Storm Abuses Open Authentication in Advanced Social Engineering Attacks

  • Posted on:April 25, 2017 at 1:00 am
  • Posted in:Targeted Attacks
  • Author:
    Feike Hacquebord (Senior Threat Researcher)
0

Pawn Storm is an active and aggressive espionage actor group that has been operating since 2004. The group uses different methods and strategies to gain information from their targets, which are covered in our latest research. However, they are particularly known for dangerous credential phishing campaigns. In 2016, the group set up aggressive credential phishing attacks against the Democratic National Convention (DNC), German political party Christian Democratic Union (CDU), the parliament and government of Turkey, the parliament of Montenegro, the World Anti-Doping Agency (WADA), Al Jazeera, and many other organizations.

This blog post discusses how Pawn Storm abused Open Authentication (OAuth) in advanced social engineering schemes. High profile users of free webmail were targeted by campaigns between 2015 and 2016.

How is OAuth abused?

OAuth is a way of authorizing third party applications to login to users’ online accounts for social media sites, gaming sites, and services like free webmail. The big advantage is that users don’t have to reveal their password; instead, the third party applications get a token that can be used for authentication.

While OAuth offers convenience and can be usefully applied in different ways, it may also expose the user to risks. Threat actors can get through the background checks that service providers do before authorizing applications for OAuth use. These actors can then integrate OAuth into advanced social engineering schemes. Some internet service providers only require an email address and a website for third party applications to use OAuth. Because of these policies, experienced actor groups like Pawn Storm can take advantage of OAuth for their credential phishing schemes.

Figure 1. The sequence of Pawn Storm's OAuth abuse

Figure 1. The sequence of Pawn Storm’s OAuth abuse

A dissection of Pawn Storm OAuth attacks

In these attacks a user would get a message like this:

Figure 2. A phony email from Pawn Storm

Figure 2. A phony email from Pawn Storm

The email poses as an advisory from Gmail and prompts potential victims to install an “official” application called “Google Defender”. Normally an internet user will know better than to readily install an application that wasn’t asked for.

If the user clicks on the link, it will lead to a page on accounts.google.com that looks like this:

Figure 3. A request to grant access from “Google Defender”

At this point, the user is faced with a legitimate Google site—since all OAuth approvals are done on the site of the service provider—but the application itself is part of a phishing scheme.

“Google Defender” is actually a third party application made by Pawn Storm. After abusing the screening process for OAuth approvals, Pawn Storm’s rogue application operates like every other app accepted by the service provider. If the user falls for the scam and clicks the “Allow” button, an OAuth token is provided to the app, giving Pawn Storm semi-permanent access to the target’s mailbox.

Apart from targeting Gmail users, Pawn Storm has also abused OAuth in credential phishing attacks against high profile Yahoo users. Here is an example from 2015 where “McAfee Email Protection” is offered.

Figure 4. A convincing Yahoo phishing email

Clicking on the “Try McAfee Email Protection” button would lead to this legitimate website:

Figure 5. This gives the third party app OAuth access

However the application is not a service of Yahoo or a legitimate product of McAfee, but a rogue application used by Pawn Storm. Clicking on the “Agree” button would give Pawn Storm an OAuth token and access to the targets’ mailbox. The group then gains access to the mailbox until the token gets revoked by the service provider or the target.

Pawn Storm apparently had some success with this type of attack as it kept sending this kind of social lure during the end of November and the first half of December 2015, as indicated in the next figure.

Figure 6. Overview of Pawn Storm’s Yahoo credential phishing campaigns. The blue boxes indicate when Pawn Storm used OAuth lures while red boxes indicate other phishing email strategies

OAuth enhances the user experience on the web. For example, by allowing social networks access to your webmail contact list, it is easier to find friends who are subscribed to the same social network. But while we believe that internet service providers have enhanced security checks of applications that are allowed to use OAuth, internet users are urged to never accept OAuth token requests from an unknown party or a service they did not ask for. Regularly review the applications you have granted access to your mailbox in the security settings of your free webmail or social media service. In case you see a suspicious application immediately revoke the OAuth token.

These are known rogue applications of Pawn Storm that have been used in credential phishing attacks against high profile users (variants of these names are likely to have been used by Pawn Storm as well):

  • Google Defender
  • Google Email Protection
  • Google Scanner
  • Delivery Service (Yahoo)
  • McAfee Email protection (Yahoo)

For more information about Pawn Storm, check out Espionage and Cyber Propaganda: A Look into Pawn Storm’s Activities over the Past Two Years.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: OAuthPawn Storm

Featured Stories

  • systemd Vulnerability Leads to Denial of Service on Linux
  • qkG Filecoder: Self-Replicating, Document-Encrypting Ransomware
  • Mitigating CVE-2017-5689, an Intel Management Engine Vulnerability
  • A Closer Look at North Korea’s Internet
  • From Cybercrime to Cyberpropaganda

Security Predictions for 2019

  • Our security predictions for 2019 are based on our experts’ analysis of the progress of current and emerging technologies, user behavior, and market trends, and their impact on the threat landscape. We have categorized them according to the main areas that are likely to be affected, given the sprawling nature of the technological and sociopolitical changes under consideration.
    Read our security predictions for 2019.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • February Patch Tuesday: Batch Includes 77 Updates That Cover Flaws in Internet Explorer, Exchange Server, and DHCP Server
  • Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire
  • Windows App Runs on Mac, Downloads Info Stealer and Adware
  • Linux Coin Miner Copied Scripts From KORKERDS, Removes All Other Malware and Miners
  • Various Google Play ‘Beauty Camera’ Apps Send Users Pornographic Content, Redirect Them to Phishing Websites and Collect Their Pictures

Popular Posts

  • Going In-depth with Emotet: Multilayer Operating Mechanisms
  • February Patch Tuesday: Batch Includes 77 Updates That Cover Flaws in Internet Explorer, Exchange Server, and DHCP Server
  • Various Google Play ‘Beauty Camera’ Apps Send Users Pornographic Content, Redirect Them to Phishing Websites and Collect Their Pictures
  • Linux Coin Miner Copied Scripts From KORKERDS, Removes All Other Malware and Miners
  • Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.