Users need to be wary of requests for information or permissions, even if they appear to come from legitimate sources, according to Don MacLennan, Senior Vice President of Engineering and Product at Barracuda Networks. On the CyberWire’s Hacking Humans podcast, MacLennan described an increasingly widespread phishing technique in which attackers trick users into granting access to their accounts via API permission requests.
“I think there's some underlying principles that exist with every attack that uses the email channel that the bad guys utilize,” MacLennan said. “And that's to say that they're very much rooted in principles of deception, including legitimacy. And this particular attack does a lot to establish legitimacy in the email content that an individual would be receiving as a target.”
MacLennan explained that attackers are launching form-based attacks through popular services such as Google Drive.
“So what we saw recently is a little different variation of that insofar as form-based attacks where the bad guys weren't hosting those forms to dupe you and me into giving up our credentials on their own infrastructure,” he explained. “They started using infrastructures of legitimate vendors. So, for example, where we saw it happen disproportionately was in Microsoft and Google products because those products have the ability to publish a form, right? If you were collaborating, for example, in and around Google Drive, there's a bunch of sharing options where you can host forms and collect information....And so the form was being hosted on what to you and I would look like a legitimate Google domain because, in that respect, it kind of is. But the form still did what the bad guy was trying to do, which is trick you and me into giving up our credentials.”
He added that these attacks can be more difficult to identify than traditional phishing attacks that use malicious websites.
“So usually to the naked eye, you or I might spot a domain and say, you know what? I don't really trust that domain – if we bothered to look,” MacLennan said. “What was nasty about these attacks is when we checked for the domain that we were navigating to – in other words, where was that form being hosted – we'd see a variant of Google or Microsoft, in which case we'd feel at ease.”
MacLennan concluded that organizations need to implement a layered strategy of defense in order to defend against these attacks.
“There's no silver bullet,” he said. “There's a lot of things that companies should do together. An example would be user awareness training, right? I mean, our employees are one of our best lines of defense. So, we got to treat them to be a little bit skeptical. We have to treat them to slow down a little bit and really understand, you know, why and how this access is being requested if it's coming out of the blue from somebody they've never interacted with before or for some reason they're not previously aware of, right? That just a little dose of skepticism and pausing a second or two to look at this request with a critical eye, sometimes that's all the difference in the world, right? So our own people are a critical component of this.”
New-school security awareness training can teach your employees to be careful when they receive requests for permissions.
The CyberWire has the story.