Story image

How phishing is evolving to outpace awareness

01 Nov 2018

Article by Bitglass CTO Anurag Kahol

Traditional phishing attempts are much easier to spot than it used to be. Education efforts have made us all more alert to the risk, but in response, criminals have developed new techniques with which to target organisations and their employees.

These techniques are more difficult to detect and cloud users must be vigilant in order to protect their data.

Growing awareness of traditional phishing scams among the public, in general, has been a step in the right direction.

Today’s well-trained employees are not so easily tricked into clicking on malicious links or responding to unexpected emails.

Many are less likely to interact with spontaneous requests to change passwords, and won’t send sensitive information to suspicious email addresses.

While email providers have made strides in flagging suspicious emails and source domains, reducing the effectiveness of attacks, attackers’ techniques have also evolved.

The latest in cloud-based phishing

An increasingly common criminal tactic is to target cloud-based services such as Gmail and the broad G Suite set of applications.

Instead of traditional email-based phishing, criminals can request that individuals provide API access to their Gmail and G Suite accounts, enabling them to access all data in a user’s account.

The trick works because users accept what appears to be a standard sharing request from a trusted provider like Google.

Once the user grants access, criminals may have visibility into their contacts, files stored in G Suite, and the contents of their emails.

The attack, widely publicised late last year, utilises the OAuth protocol – a system Google uses to streamline authentication.

This system allows Google users to grant third-party applications access to their sensitive information without needing to re-enter their login details.

This is what differentiates this phishing tactic from the traditional – criminals get access to your data without your credentials.

This technique is simple, yet sophisticated.

It moves away from phishing tactics that require social engineering and instead misuses new technologies.

Since people are less aware of these new cloud-based tactics, they are more likely to fall victim to one of these attacks.

What's next?

This kind of attack circumvents both the awareness of users and filtering technology.

They are highly personalised, very well disguised, and provide the criminal with access to broad permissions over cloud accounts.

This means access to data, connected devices, and online services.

The rapid adoption of cloud technology makes it all the more tempting for criminals to find ways to exploit it.  

As seen with the G Suite attack, pretending to be an application rather than a colleague or company is a clever way of manufacturing trust.

Google, Amazon, Microsoft, and other cloud service providers are constantly updating their services with new security features.

With the addition of machine learning technologies, malicious URL detection, and email filtering, these providers will continue to improve their ability to protect users.

Also, as seen in the G Suite attack, cloud providers can be very quick to find and notify users about the risk of new large-scale attacks.

Ultimately, organisations and individuals are still responsible for data breaches where they fall victim to a phishing attack of any sort.

This is why education is important.

As threats evolve, businesses must ensure that employees are aware of new risks.

This, together with security technology that controls access and provides IT leaders with visibility into high-risk actions can help limit the impact of a phishing attack.

Cryptomining apps discovered on Microsoft’s app store
It is believed that the eight apps were likely developed by the same person or group.
WhatsApp users warned to change voicemail PINs
Attackers are allegedly gaining access to users’ WhatsApp accounts by using the default voicemail PIN to access voice authentication codes.
Swiss Post asks public to hack its e-voting system
Switzerland’s postal service Swiss Post is inviting keen-eyed security experts and white hats to hack its e-voting system.
Spoofs, forgeries, and impersonations plague inboxes
It pays to double check any email that lands in your inbox, because phishing attacks are so advanced that they can now literally originate from a genuine sender’s account – but those emails are far from genuine.
Flashpoint signs on emt Distribution as APAC partner
"Key use cases that we see greatly benefiting the region are bolstering cybersecurity, combating insider threats, confronting fraud, and addressing supply chain risk, to name a few."
The attack surface: 2019's biggest security threat
As businesses expand, so does their attack surface – and that may be the biggest cybersecurity risk of them all, according to Aon’s 2019 Cyber Security Risk Report.
Opinion: Cybersecurity as a service answer to urgent change
Alan Calder believes a CSaaS model can enable a company to build a cyber resilience strategy in a coherent and consistent manner.
Why SD-WAN is key for expanding businesses - SonicWall
One cost every organisation cannot compromise on is reliable and quick internet connection.