At the heart of every phishing attack is a special type of confidence scheme that we know as "social engineering." Social engineering, despite its technical-sounding name, is simply an attempt by malicious parties to make themselves appear to be other than who they are in order to persuade targeted individuals to take potentially dangerous actions that provide those malicious parties illicit access to computers, networks, accounts, information, or even financial resources that can be exploited for monetary gain.
To accomplish this task, the bad guys need tools. And the best tools are increasingly being provided by legitimate online sites and services that are constantly striving to roll out ever more powerful features for their customers and users.
Online sites and services are attractive targets for use in phishing campaigns because so many of them are known to and trusted by the employees of companies and organizations that are subjected to phishing campaigns on a daily basis. The trust and familiarity invested in these sites and services can be leveraged by malicious parties not only to bypass Exchange filters and endpoint security solutions but to trick employees into giving up the goods, so to speak -- be those goods information, computer systems, or money.
Although the bad guys have sought to leverage the trust placed in popular online sites and services almost since the advent of phishing attacks 10-15 years ago, they have become increasingly sophisticated over the past few years in finding ways to exploit and leverage the features and functionality provided by these sites and services.
In this piece, we review the most common and noteworthy ways in which the bad guys leverage and exploit popular sites and services in phishing campaigns. We also consider the implications for security awareness training, a regimen that more and more companies are starting to incorporate into their security programs as human beings become the weakest link (and the last line of defense) in the security schemes implemented by companies large and small.
Phishing 101: Leveraging the Trust of Others
Although online criminal gangs have enjoyed some noteworthy successes using very clever and sophisticated methods for exploiting legitimate online services, even the lowliest and laziest of would be bad guys can play the game.
One simple way to leverage the trust placed in perhaps the most trusted online service on the internet is to push users to malicious links by redirecting them through Google. Just as Google redirects links to external web sites on its popular search service through google.com for the purposes of analytics, Google also allows non-search originating URLs to be redirected in a similar fashion. The method is simple enough, and the internet is littered with web pages and videos providing instructions for novice bad guys.
The end result, though, is a simple, straightforward way to gain users' trust -- even the trust of users who might have gone through security awareness training and who diligently hover the mouse over links sent them in emails. All the user sees up front is a URL like the following:
Although more savvy users may recognize that the above URL is a redirect to an unknown site, most will not. And Google itself is none too helpful in alerting users to potential dangers:
More ambitious novices can step up their game by utilizing popular file sharing sites like Dropbox, MediaFire, and Google Drive to distribute their illicit payloads, be those web pages performing simple credentials phishes, actual malware files, or even web pages containing still further redirects to other malicious sites. And although most file sharing sites and services have in turn stepped up their own game, incorporating more aggressive security checks and anti-virus file scanning, it is still all too common to see well known file sharing sites being used to distribute malicious content, as in this phish:
Remember, file scanning is only as effective as the file scanners being used. Even though malicious files may live on a popular file sharing site for only a few short hours before being flagged and taken down, that is more than enough time for a mass phishing campaign to generate thousands or even tens of thousands of clicks. A spear phishing campaign may need only one click to be considered successful.
Advanced Phishing: Exploiting Functionality
Bad guys who enjoy success with file sharing sites but who wish to reduce their exposure to simple AV file scanners can graduate to exploiting popular survey and form generation sites like SurveyMonkey, JotForm and Typeform. Such sites are particularly useful for phishing campaigns based on extracting users' account credentials or other sensitive data. Consider the following phishing email...
Again, even users diligent enough to hover the mouse over the link will see only a URL pointing to this landing page on forms.office.com, an otherwise trusted site that users may have encountered in their online dealings with other companies:
Even though the page content (USAA) does not match the page host (Microsoft), this malicious form will still enjoy the trust placed by most users in Microsoft, a company with which users will have interacted for the better part of their adult lives. Still further, these survey and form generation sites are helpful inasmuch as they make it easy for the bad guys to create official-looking, professional documents.
Indeed, the bad guys love turning the job of hosting, publishing, and distributing malicious content over to legitimate sites trusted by users. As a result, they have become very clever at dreaming up new ways to use the functionality of these sites and services to put malicious content in the inboxes of users. One of the more interesting attempts was the use of Paypal's "money request" feature to land a phishing email with a malicious link in users' inboxes right under the noses of email filters and anti-virus programs (as reported by Proofpoint).
In similar fashion we documented a case in which malicious actors set up a fake Wells Fargo account on LinkedIn, only to exploit LinkedIn's InMail feature to send marks credentials phishes that were delivered both within LinkedIn's own site as wells as victim's external email accounts.
It is important to note that these last two phishes -- the LinkedIn and Paypal phishes -- represent an important advance upon the previous malicious attacks we discussed. In all those earlier phishing examples the bad guys were able to leverage the reputations and functionality of legitimate online services only for the payload -- be it a malicious file, a malicious link, or a malicious landing page. The phishing email campaigns that kicked off those attacks were all standard bad guy emails -- crafted by the bad guys themselves and delivered through whatever email solution they had opted for (or hijacked). At worst, they may have spoofed some of the headers. At bottom, though, they were fakes and forgeries.
In the Paypal and LinkedIn cases, however, the emails received by potential marks were in fact delivered by LinkedIn and Paypal. Not surprisingly, these emails sailed right past most Exchange filters as all the header information indicated (correctly) that the emails originated from those two widely used online services. In other words, those services were exploited not just to deliver or host malicious payloads, but to actually deliver the phishing emails luring potential victims to those payloads.
In both of these last two cases it is doubtful whether the bad guys were able to automate the necessary processes to execute a mass phishing campaign through the exploited features of those two online services. Nonetheless, the ability to deliver phishing emails via those services' email features still lends itself to low volume, highly targeted phishing attacks where it is imperative that the initial phishing lure not fall prey to email filters or endpoint protection solutions.
Phishing for Experts: Exploiting Platforms
We might take comfort in the fact that the bad guys were not able to leverage the functionality of those popular online services for anything more than low volume, targeted phishing attacks. Just this past May, however, the bad guys demonstrated that they were indeed capable of exploiting well-known and widely trusted online services to execute phishing campaigns on a mass scale with very dangerous results.
We are, of course, referring to the massive Google Docs phish that inundated inboxes on May 3. Although Google managed to shut down that campaign within an hour, and although that attack was swiftly overshadowed by the WannaCry ransomware outbreak a few weeks later, that May 3rd Google Docs phish was, as numerous observers correctly surmised, a game changer.
The Google Docs phish turned heads in the security industry because the bad guys effectively converted Google into a phishing platform -- if only for an hour. Emails delivered from compromised Gmail accounts pointed users to a file hosted on google.com.
To make matters worse, users trusting enough to click the link were presented with a malicious Gmail app, slyly named "Google Docs," requesting permission to access their Google accounts.
Those who went on to click through that OAuth (Open Authorization) request saw their Google accounts compromised and exploited, in worm-like fashion, to send out still more malicious emails to contacts stored in their address books. In many ways, the Google Docs phish was the infamous "ILoveYou" virus/worm updated for the age of social media and cloud-based services.
No longer were the bad guys simply leveraging the functionality of an online service to publish, host, or redistribute malicious content as well as the malicious email lures delivered to potential marks. Now they were actually exploiting an apps platform to execute malicious code to allow it propagate itself -- all while sailing under the trusted colors of the world's largest online service.
If nothing else, the May 3rd Google Docs phish raises the question of just how many other online platforms or services can be creatively exploited to perform phishing attacks from end-to-end -- from initial email through final payload and on to self-propagation.
We fear this won't be the last such instance, for the common thread in all the attacks we've looked at here is functionality offered by popular sites and services that hand users the ability to upload, publish, or redistribute content, whether that content be a simple link redirected through Google or a malicious app that compromises accounts and delivers its own phishing email lures.
These online platforms and services are becoming more and more feature rich, as the companies behind them race to put ever more powerful functionality in the hands of users. It is well nigh inevitable that the same expanded functionality will be taken in hand by malicious actors and used for their own nefarious ends.
Security awareness training has become critical to protecting the users, assets, and reputations of companies and organizations large and small. But not all security awareness training programs are created equal.
As we've seen above, the bad guys have become quite adept at exploiting the features and functionality of well-known online sites and services in order to leverage the trust invested by your employees in those services for purposes of socially engineering. Thus, simply sitting down your employees in the breakroom with coffee and doughnuts for a death-by-Powerpoint exercise in which the sole useful bit of advice consists of checking links before clicking will not cut it anymore. Not when the bad guys are phishing your users from within the very online sites and services they have learned to trust.
No, your users need a more sophisticated and agile set of analytical tools to recognize when they (and the larger organization) are under attack. That means New-school security awareness training, which teaches users that even trusted sites can be exploited and gives them a wider range of indicators to check when dealing with incoming emails. When your users are your organization's last line of defense, they need to be ready to encounter threats for what they are -- even when they arrive from the most trusted of sources.