Story image

How phishing is evolving to outpace awareness

01 Nov 2018

Article by Bitglass CTO Anurag Kahol

Traditional phishing attempts are much easier to spot than it used to be. Education efforts have made us all more alert to the risk, but in response, criminals have developed new techniques with which to target organisations and their employees.

These techniques are more difficult to detect and cloud users must be vigilant in order to protect their data.

Growing awareness of traditional phishing scams among the public, in general, has been a step in the right direction.

Today’s well-trained employees are not so easily tricked into clicking on malicious links or responding to unexpected emails.

Many are less likely to interact with spontaneous requests to change passwords, and won’t send sensitive information to suspicious email addresses.

While email providers have made strides in flagging suspicious emails and source domains, reducing the effectiveness of attacks, attackers’ techniques have also evolved.

The latest in cloud-based phishing

An increasingly common criminal tactic is to target cloud-based services such as Gmail and the broad G Suite set of applications.

Instead of traditional email-based phishing, criminals can request that individuals provide API access to their Gmail and G Suite accounts, enabling them to access all data in a user’s account.

The trick works because users accept what appears to be a standard sharing request from a trusted provider like Google.

Once the user grants access, criminals may have visibility into their contacts, files stored in G Suite, and the contents of their emails.

The attack, widely publicised late last year, utilises the OAuth protocol – a system Google uses to streamline authentication.

This system allows Google users to grant third-party applications access to their sensitive information without needing to re-enter their login details.

This is what differentiates this phishing tactic from the traditional – criminals get access to your data without your credentials.

This technique is simple, yet sophisticated.

It moves away from phishing tactics that require social engineering and instead misuses new technologies.

Since people are less aware of these new cloud-based tactics, they are more likely to fall victim to one of these attacks.

What's next?

This kind of attack circumvents both the awareness of users and filtering technology.

They are highly personalised, very well disguised, and provide the criminal with access to broad permissions over cloud accounts.

This means access to data, connected devices, and online services.

The rapid adoption of cloud technology makes it all the more tempting for criminals to find ways to exploit it.  

As seen with the G Suite attack, pretending to be an application rather than a colleague or company is a clever way of manufacturing trust.

Google, Amazon, Microsoft, and other cloud service providers are constantly updating their services with new security features.

With the addition of machine learning technologies, malicious URL detection, and email filtering, these providers will continue to improve their ability to protect users.

Also, as seen in the G Suite attack, cloud providers can be very quick to find and notify users about the risk of new large-scale attacks.

Ultimately, organisations and individuals are still responsible for data breaches where they fall victim to a phishing attack of any sort.

This is why education is important.

As threats evolve, businesses must ensure that employees are aware of new risks.

This, together with security technology that controls access and provides IT leaders with visibility into high-risk actions can help limit the impact of a phishing attack.

Five things MSPs need to keep in mind in 2019
A Datto APAC channel exec outlines the most important factors for MSP to being paying attention to in the coming year.
Survey: IT pros nostalgic over on-prem data centre visibility
There are significant security and monitoring challenges faced by IT staff responsible for managing public and private cloud deployments.
61% of CIOs believe employees leak data maliciously
Egress conducted a survey to examine the root causes of employee-driven data breaches, their frequency, and impact.
Opinion: BYOD can be secure with the right measures
Companies that embrace BYOD are giving employees more freedom to work remotely, resulting in increased productivity, cost savings, and talent retention.
Sonatype and HackerOne partner on open source vulnerability reporting
Without a standard for responsible disclosure, even those who want to disclose vulnerabilities responsibly can get frustrated with the process.
OutSystems and Boncode team up for better code analysis
The Boncode and OutSystems alliance aims to help organisations to build fast and feel comfortable that the work they're delivering is at peak quality levels.
Security top priority for Filipinos when choosing a bank - Unisys
Filipinos have greatest appetite in Asia Pacific to use biometrics to access banking services
Nuance biometrics fight back against fraud
Nuance Communications has crunched the numbers and discovered that it has prevented more than US$1 billion worth of fraud from being passed on to users of its Nuance Security Suite.