Researchers warn that vanity links made by businesses to add their brand to well-known cloud services could become a handy vector for phishing attacks and a technique to deceive users.
Cloud services that don't check whether subdomains have been modified may allow URLs that appear to be from "varonis.box.com" or "apple.zoom.us," according to a Varonis advisory released on Wednesday.
In the instance of Box.com, this could result in a malicious document; in the case of Zoom, it could result in a data-gathering webinar unrelated to the stated brand. The issue arises when a cloud service permits the usage of a vanity subdomain but does not validate it or use it to provide services. More than six months ago, Varonis warned Box.com and Zoom of the problem, as well as Google, whose URLs to Google Docs might be spoofed.
The issues are essentially fixed, according to the company. According to Or Emanuel, director of research and security at Varonis, the vulnerability is likely to occur for other providers. "We think it is more than just those three SaaS services," he says, adding that attackers can also use the predictability of the subdomains to select potential victims. "Because of the vanity URLs, it makes it very easy for threat actors to scan all the subdomains of all the big Fortune companies with different cloud providers."
Attackers use well-known companies to hide dangerous code and phishing sites, which allows them to dupe victims into trusting false e-mail messages and website links. In 2019, for example, three-quarters of businesses learned that the lookalike domain had been created by a third party using a top-level domain other than.COM.
Varonis' research takes a different approach to the problem.
Rather than looking at top-level domains, the company's researchers looked into ways to abuse the subdomains that many cloud service providers allow their customers to use. "Not only do vanity URLs feel more professional, but they also provide a sense of security for end-users," Varonis stated in the advisory. "Most people are likelier to trust a link at varonis.box.com than a generic app.box.com link. However, if someone can spoof that subdomain, then trusting the vanity URL can backfire."
When a customer is permitted to utilise their brand as a subdomain, such as varonis.zoom.us, a software-as-a-service (SaaS) application is vulnerable to the attack since the subdomain is no longer validated when the link is provided to a third party, such as participants in a conference call or webinar. In the case of Zoom's service, attackers may design a webinar that asks registrants a series of social engineering-friendly questions, rebrand the webinar as a well-known organisation, and then modify the resulting URL to the targeted URL.
The original domain — for example, attacker.zoom.us — might be changed to varonis.zoom.us without affecting the link's functioning.
A well-branded page might trick a victim into providing personal information, especially if the subdomain indicates that the host is a well-known organisation. In the case of Box.com, a link like app.box.com/f/abcd1234 may be modified to varonis.app.box.com/f/abcd1234 to make it look like an official form gathering information while actually sending it to the attacker.
"The more interesting attacks from a data protection standpoint are when you have forms for registration or file-sharing requests," Emanuel says. "When the threat actor controls these pages, they can ask for any information they want, and it seems totally legit. It's really hard to determine that it's not a page that the company owns."
This type of social engineering is beneficial in phishing assaults, as well as persuading people to click on links or download suspicious files. According to the FBI's annual Internet Crime Complaint Center (IC3) report, losses from cybercrime, including phishing attacks, reached approximately $7 billion in 2021.
According to Emanuel, cloud providers should verify that any URL change is confirmed by the link's encoding.
According to Varonis, both Box.com and Google have fixed the issues, albeit the errors still present for Google Forms and Google Docs when using the "Publish to the web" function. When the subdomain is changed, Zoom will notify users.
Furthermore, users should be wary of links, particularly if the connected page requires too much information or leads to further links or files.
"We recommend educating your coworkers about the risk associated with clicking on such links and especially submitting PII and other sensitive information via forms, even if they appear to be hosted by your company’s sanctioned SaaS accounts," Varonis stated in the advisory.