Impermissible: Be Suspicious of Permission Requests

iStock-155438989Users need to be wary of requests for information or permissions, even if they appear to come from legitimate sources, according to Don MacLennan, Senior Vice President of Engineering and Product at Barracuda Networks. On the CyberWire’s Hacking Humans podcast, MacLennan described an increasingly widespread phishing technique in which attackers trick users into granting access to their accounts via API permission requests.

“I think there's some underlying principles that exist with every attack that uses the email channel that the bad guys utilize,” MacLennan said. “And that's to say that they're very much rooted in principles of deception, including legitimacy. And this particular attack does a lot to establish legitimacy in the email content that an individual would be receiving as a target.”

MacLennan explained that attackers are launching form-based attacks through popular services such as Google Drive.

“So what we saw recently is a little different variation of that insofar as form-based attacks where the bad guys weren't hosting those forms to dupe you and me into giving up our credentials on their own infrastructure,” he explained. “They started using infrastructures of legitimate vendors. So, for example, where we saw it happen disproportionately was in Microsoft and Google products because those products have the ability to publish a form, right? If you were collaborating, for example, in and around Google Drive, there's a bunch of sharing options where you can host forms and collect information....And so the form was being hosted on what to you and I would look like a legitimate Google domain because, in that respect, it kind of is. But the form still did what the bad guy was trying to do, which is trick you and me into giving up our credentials.”

He added that these attacks can be more difficult to identify than traditional phishing attacks that use malicious websites.

“So usually to the naked eye, you or I might spot a domain and say, you know what? I don't really trust that domain – if we bothered to look,” MacLennan said. “What was nasty about these attacks is when we checked for the domain that we were navigating to – in other words, where was that form being hosted – we'd see a variant of Google or Microsoft, in which case we'd feel at ease.”

MacLennan concluded that organizations need to implement a layered strategy of defense in order to defend against these attacks.

“There's no silver bullet,” he said. “There's a lot of things that companies should do together. An example would be user awareness training, right? I mean, our employees are one of our best lines of defense. So, we got to treat them to be a little bit skeptical. We have to treat them to slow down a little bit and really understand, you know, why and how this access is being requested if it's coming out of the blue from somebody they've never interacted with before or for some reason they're not previously aware of, right? That just a little dose of skepticism and pausing a second or two to look at this request with a critical eye, sometimes that's all the difference in the world, right? So our own people are a critical component of this.”

New-school security awareness training can teach your employees to be careful when they receive requests for permissions.

The CyberWire has the story.

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe To Our Blog

Anti-Phishing Guide ebook

Get the latest about social engineering

Subscribe to CyberheistNews