sb-nz logo
Story image

How phishing is evolving to outpace awareness

01 Nov 2018

Article by Bitglass CTO Anurag Kahol

Traditional phishing attempts are much easier to spot than it used to be. Education efforts have made us all more alert to the risk, but in response, criminals have developed new techniques with which to target organisations and their employees.

These techniques are more difficult to detect and cloud users must be vigilant in order to protect their data.

Growing awareness of traditional phishing scams among the public, in general, has been a step in the right direction.

Today’s well-trained employees are not so easily tricked into clicking on malicious links or responding to unexpected emails.

Many are less likely to interact with spontaneous requests to change passwords, and won’t send sensitive information to suspicious email addresses.

While email providers have made strides in flagging suspicious emails and source domains, reducing the effectiveness of attacks, attackers’ techniques have also evolved.

The latest in cloud-based phishing

An increasingly common criminal tactic is to target cloud-based services such as Gmail and the broad G Suite set of applications.

Instead of traditional email-based phishing, criminals can request that individuals provide API access to their Gmail and G Suite accounts, enabling them to access all data in a user’s account.

The trick works because users accept what appears to be a standard sharing request from a trusted provider like Google.

Once the user grants access, criminals may have visibility into their contacts, files stored in G Suite, and the contents of their emails.

The attack, widely publicised late last year, utilises the OAuth protocol – a system Google uses to streamline authentication.

This system allows Google users to grant third-party applications access to their sensitive information without needing to re-enter their login details.

This is what differentiates this phishing tactic from the traditional – criminals get access to your data without your credentials.

This technique is simple, yet sophisticated.

It moves away from phishing tactics that require social engineering and instead misuses new technologies.

Since people are less aware of these new cloud-based tactics, they are more likely to fall victim to one of these attacks.

What's next?

This kind of attack circumvents both the awareness of users and filtering technology.

They are highly personalised, very well disguised, and provide the criminal with access to broad permissions over cloud accounts.

This means access to data, connected devices, and online services.

The rapid adoption of cloud technology makes it all the more tempting for criminals to find ways to exploit it.  

As seen with the G Suite attack, pretending to be an application rather than a colleague or company is a clever way of manufacturing trust.

Google, Amazon, Microsoft, and other cloud service providers are constantly updating their services with new security features.

With the addition of machine learning technologies, malicious URL detection, and email filtering, these providers will continue to improve their ability to protect users.

Also, as seen in the G Suite attack, cloud providers can be very quick to find and notify users about the risk of new large-scale attacks.

Ultimately, organisations and individuals are still responsible for data breaches where they fall victim to a phishing attack of any sort.

This is why education is important.

As threats evolve, businesses must ensure that employees are aware of new risks.

This, together with security technology that controls access and provides IT leaders with visibility into high-risk actions can help limit the impact of a phishing attack.

Story image
Fortinet promises free cybersecurity training until skills gap trend reverses
"We are committed to continue offering the entire catalogue of self-paced Network Security Expert training at no cost until we see the skills gap trend reverse."More
Story image
Users pay with personal data - Kaspersky on WhatsApp move to share data with Facebook
"Nothing is truly free, and, unfortunately, the current business model for free services means that, essentially, we pay with our data."More
Story image
IronNet expands Asia Pacific presence with new strategic partnership
“The combination of M.Tech’s extensive network in Asia Pacific and our unparalleled expertise in threat intelligence and detection will help more enterprises across the region to proactively identify and take down known and unknown threats before they happen.”More
Story image
Arlo's latest Ultra security cameras now available in NZ
The Ultra 2 Wire-Free Spotlight Camera System is equipped with 4K video and HDR image recording, auto-zoom and tracking, and much more.More
Story image
SASE vs zero trust – or the best of both worlds
Zero trust and SASE work together by converging a least-privilege access strategy with an architecture that simplifies how highly distributed users, BYOD, and cloud resources are secured.More
Story image
Check Point exposes Android malware vendor using dark net to rebrand products
Check Point security researchers have exposed an Android malware vendor using a marketer on the dark net to rebrand its products, with the intention of supercharging business and throwing off security vendors. More