Web-Based Application Cyberattacks
With the COVID-19 Pandemic, businesses rely on cloud applications more than ever. These applications have become essential to remote workers as tools for collaboration and productivity.
Microsoft has found that an increasing amount of cyberattackers are using online web-based applications to attack cloud services such Office 365. Partner Group PM Manager at Microsoft Agniezka Girling notes that while cloud applications have been enormously helpful for increasing remote work productivity, they are also a point of attack for malicious actors.
Consent phishing is one of many web-based attacks that are currently a danger to cloud based applications. Phishing describes a type of attack where the attacker attempts to trick the victim into clicking malicious links or sharing sensitive information by pretending to be a trusted identity. Oftentimes, this is done through channels such as email or online chat.
In consent phishing, the attacker instead attempts to trick the victim into granting permission to access sensitive data or access to online applications. Once the actor has gained access to one cloud application, they can exploit Open Authentication (OAuth) in order to gain access to other cloud applications without needing to provide additional security. By using Open Authentication, a malicious actor can gain access to an entire suite of a user’s applications without needing password or multifactor authentication. Common web apps that are targeted include Google suite, Amazon, and Microsoft O365 accounts.
First, the malicious actor signs the malicious application with OAuth, such as with Azure Active Directory. Next, the malicious application is made to look authentic. A direct link to the malicious application is then generated and sent to the victim, often through email. Once the link is clicked, the malicious application requests permission to access the victim’s legitimate account’s information. This consent prompt is designed to look identical to legitimate prompts. The moment the victim clicks ‘allow’ on the prompt, the cyberattackers receives a token that provides access to the victim’s account.
Exploitation of Open Authentication Services
Cybersecurity researchers at Trend Micro found that during 2015 to 2016, a cyber threat group exploited Open Authentication in a social engineering scheme. Their goal was to gain access to high profile individuals using free webmail services. In the attack, targets were sent a malicious email stating that their google account was under threat, prompting users to install a fake application called “Google Defender”. Clicking on the link brought victims to a permissions prompt page, and clicking “allow” provided attackers access to the victim’s Gmail inboxes.
Defending yourself against Web Application Attack
Microsoft has taken appropriate legal action against malicious actors using consent Phishing. The U.S. District Court for the Eastern District of Virginia has reported that Microsoft has submitted a case against actors defrauding victims using consent phishing.
Microsoft stated that the attack leveraged the COVD-19 pandemic by using the subject line “COVID-19 Bonus” to entice victims. Once victims clicked the malicious link, they would be redirected to a fake permissions prompt page. Like with other consent phishing attacks, once the victim allows for permission to be granted, the attacker will gain access to their accounts without the use of passwords. Below are some recommendations that Microsoft has provided to prevent these attacks:
1) Ensure that the web URL and domain are legitimate before allowing any applications access to your web apps.
2) Only allow web apps that have been publisher verified. Publisher verified applications have been screened and verified by the Microsoft Partner Network.
3) For organizations, create web app consent policies that only allow employees to allow consent to specific trusted applications
4) Ensure that permitted apps only have access to the information that they require to function and don’t unnecessarily have access to sensitive information that they do not need.
Don’t fall victim to cyberattack. GIGE Corporation has over 30 years of experience defending against phishing attacks. Call us at +1 888 366 4443 or firstname.lastname@example.org for a consultation today.