Story image

How phishing is evolving to outpace awareness

01 Nov 2018

Article by Bitglass CTO Anurag Kahol

Traditional phishing attempts are much easier to spot than it used to be. Education efforts have made us all more alert to the risk, but in response, criminals have developed new techniques with which to target organisations and their employees.

These techniques are more difficult to detect and cloud users must be vigilant in order to protect their data.

Growing awareness of traditional phishing scams among the public, in general, has been a step in the right direction.

Today’s well-trained employees are not so easily tricked into clicking on malicious links or responding to unexpected emails.

Many are less likely to interact with spontaneous requests to change passwords, and won’t send sensitive information to suspicious email addresses.

While email providers have made strides in flagging suspicious emails and source domains, reducing the effectiveness of attacks, attackers’ techniques have also evolved.

The latest in cloud-based phishing

An increasingly common criminal tactic is to target cloud-based services such as Gmail and the broad G Suite set of applications.

Instead of traditional email-based phishing, criminals can request that individuals provide API access to their Gmail and G Suite accounts, enabling them to access all data in a user’s account.

The trick works because users accept what appears to be a standard sharing request from a trusted provider like Google.

Once the user grants access, criminals may have visibility into their contacts, files stored in G Suite, and the contents of their emails.

The attack, widely publicised late last year, utilises the OAuth protocol – a system Google uses to streamline authentication.

This system allows Google users to grant third-party applications access to their sensitive information without needing to re-enter their login details.

This is what differentiates this phishing tactic from the traditional – criminals get access to your data without your credentials.

This technique is simple, yet sophisticated.

It moves away from phishing tactics that require social engineering and instead misuses new technologies.

Since people are less aware of these new cloud-based tactics, they are more likely to fall victim to one of these attacks.

What's next?

This kind of attack circumvents both the awareness of users and filtering technology.

They are highly personalised, very well disguised, and provide the criminal with access to broad permissions over cloud accounts.

This means access to data, connected devices, and online services.

The rapid adoption of cloud technology makes it all the more tempting for criminals to find ways to exploit it.  

As seen with the G Suite attack, pretending to be an application rather than a colleague or company is a clever way of manufacturing trust.

Google, Amazon, Microsoft, and other cloud service providers are constantly updating their services with new security features.

With the addition of machine learning technologies, malicious URL detection, and email filtering, these providers will continue to improve their ability to protect users.

Also, as seen in the G Suite attack, cloud providers can be very quick to find and notify users about the risk of new large-scale attacks.

Ultimately, organisations and individuals are still responsible for data breaches where they fall victim to a phishing attack of any sort.

This is why education is important.

As threats evolve, businesses must ensure that employees are aware of new risks.

This, together with security technology that controls access and provides IT leaders with visibility into high-risk actions can help limit the impact of a phishing attack.

Avi Networks: Using visibility to build trust
Visibility, also referred to as observability, is a core tenet of modern application architectures for basic operation, not just for security.
Privacy: The real cost of “free” mobile apps
Sales of location targeted advertising, based on location data provided by apps, is set to reach $30 billion by 2020.
Myth-busting assumptions about identity governance - SailPoint
The identity governance space has evolved and matured over the past 10 years, changing with the world around it.
Forrester names Crowdstrike leader in incident response
The report provides an in-depth evaluation of the top 15 IR service providers across 11 criteria.
Slack doubles down on enterprise key management
EKM adds an extra layer of protection so customers can share conversations, files, and data while still meeting their own risk mitigation requirements.
Security professionals want to return fire – Venafi
Seventy-two percent of professionals surveyed believe nation-states have the right to ‘hack back’ cybercriminals.
Alcatraz AI to replace corporate badges with AI security
The Palo Alto-based startup supposedly leverages facial recognition, 3D sensing, and machine learning to enable secure access control.
Unencrypted Gearbest database leaves over 1.5mil shoppers’ records exposed
Depending on the countries and information requirements, the data could give hackers access to online government portals, banking apps, and health insurance records.