A new type of brand impersonation attack is disproportionately using Google-branded sites to trick victims into sharing login credentials. Making up 4 percent of all spear phishing attacks in the first four months of 2020, Barracuda researchers have seen steady detections through the first part of the year. Researchers expect to see that number climb as cybercriminals have success harvesting credentials with these attacks.
Form-based attacks — In this type of brand impersonation attack, scammers leverage file, content-sharing, or other productivity sites like docs.google.com or sway.office.com to convince victims to hand over their credentials. The phishing email will usually contain a link to one of these legitimate websites making this highly specialized attack difficult to detect. Plus, one particularly tricky variant steals account access without stealing credentials.
Of the nearly 100,000 form-based attacks Barracuda detected between January 1, 2020, and April 30, 2020, Google file sharing and storage websites were used in 65 percent of attacks. This includes storage.googleapis.com (25%), docs.google.com (23%), storage.cloud.google.com (13%), and drive.google.com (4).
In comparison, Microsoft brands were targeted in 13 percent of attacks: onedrive.live.com (6%), sway.office.com (4%), and forms.office.com (3%). The other sites used in impersonation attacks include sendgrid.net (10%), mailchimp.com (4%), and formcrafts.com (2%). All other sites made up 6 percent of form-based attacks.
Cybercriminals use form-based attacks for credential theft is several ways. The three most common tactics are:
1. Using legitimate sites as intermediaries
With this tactic, cybercriminals attempt to impersonate emails that appears to have been generated automatically by a file sharing site such as OneDrive and takes their victim to a phishing site through a legitimate file sharing site. The attacker sends an email with a link that leads to a file stored on a site like sway.office.com, for example. The file contains a picture with a link to a phishing site asking for credentials to login.
2. Creating online forms for phishing
With this approach, attackers create an online form using legitimate services like forms.office.com. The forms resemble a login page of a legitimate service, and the link to the form is then included in phishing emails to harvest credentials.
These impersonation attacks are difficult to detect because they contain links pointing to legitimate websites that are often used by organizations. However, services that request account verification or password changes do not normally use these domains.
3. Getting access to accounts without passwords
In this particularly nasty attack variant, hackers can get access to their victims’ accounts without stealing their credentials. The original phishing email contains a link to what looks like a usual login page. Even the domain name in the browser window appears to match what user may expect to see.
However, the link contains a request for an access token for an app. After login credentials are entered, the victim is presented with a list of app permissions to accept. By accepting these permissions, the victim is not giving up passwords to attackers, but rather grants the attacker’s app an access token to use the same login credentials to access the account.
With one particularly nasty variant of form-based attack, even two-factor authentication will be unable to keep attackers out. #cybercrime #EmailSec
Attacks like these are likely to go unnoticed by users for a long time. After all, they used their credentials on a legitimate website. Even two-factor authentication will do nothing to keep attackers out because their malicious app was approved by the user to access accounts.
At the time of writing this blog, Microsoft already disabled this specific app, but we continue to see this tactic being used.
How to protect your organization
API-based inbox defense: Cybercriminals are adjusting their tactics to bypass email gateways and spam filters, so you need a solution in place that uses artificial intelligence to detect and block attacks, such as account takeover and domain impersonation. Deploy technology that uses machine learning to analyze normal communication patterns within your organization, instead of relying solely on looking for malicious links or attachments. This allows the solution to spot anomalies that may indicate an attack.
Deploy multi-factor authentication: Multi-factor authentication, also called MFA, two-factor authentication, and two-step verification, provides an additional layer of security beyond username and password, such as an authentication code, thumb print, or retinal scan.
Protect against account takeover: Use technology to identify suspicious activity and potential signs of account takeover, such as logins at unusual times of the day or from unusual locations and IP addresses. Track IPs that exhibit other suspicious behaviors, including failed logins and access from suspicious devices.
Monitor email accounts for malicious inbox rules as well. They are often used as part of account takeover. Criminals log into the account, create forwarding rules and hide or delete any email they send from the account, to try to cover their tracks.
Improve user security education: Educate users about email attacks, including form-based attacks, as part of security-awareness training. Ensure staffers can recognize attacks, understand their fraudulent nature, and know how to report them. Use phishing simulation to train users to identify cyberattacks, test the effectiveness of your training, and evaluate the users most vulnerable to attacks.
Be sure to join us for our upcoming webinar, where we will discuss new email threats and how your MSP can protect its customers from them.
Photo: Tero Vesalainen / Shutterstock