Phishing attacks have often started from emails with links to fake websites that mimic legitimate login pages, like those of financial institutions, cloud apps and social media sites. They have one purpose: to trick uses into giving up their confidential information.
Email remains the primary mechanism way to deliver phishing links to fake login pages to capture usernames, passwords and MFA codes. Those emails, however, may not be the greatest risk. According to Netskope’s “Cloud and Threat Report: Phishing,” users actually click on phishing links more frequently on other channels, including personal websites and blogs, social media, and search engine results.
The one that is a bit surprising to see listed is search engine. To link search engine referrals to phishing pages, attackers weaponize data voids by creating pages centered around uncommon search terms where they readily establish themselves as one of the top results for those terms. Some examples include how to use specific features in popular software, quiz answers for online courses and user manuals for various business and personal products.
"Threat actors have adjusted their methods and are luring users into clicking on phishing links in other, less expected places," said Ray Canzanese, threat research director, Netskope. "While we might not be thinking about the possibility of a phishing attack while surfing the internet or favorite search engine, we all must use the same level of vigilance and skepticism as we do with inbound email.”
Using the same level of vigilance and skepticism means never entering credentials or sensitive information into any page after clicking a link.
Bad actors in attacks are not stopping there. There is also a rise in fake third-party cloud apps designed to trick users into authorizing access to their cloud data and resources. Users are accustomed to granting third-parties access to their data, commonly granting permissions to third-party applications to read/write GMail, Google Sheets, Google Drive or their contacts.
Attackers capitalize on this trend of third-party app authorization by creating fake apps that mimic legitimate apps and request similar permissions. A way attackers weaponize third-party apps is by creating fake OAuth apps in a type of attack called an illicit consent grant. Attackers also compromise apps that provide legitimate functionality, such as the CamScanner application, which provides document scanning but can be used to access sensitive data.
This trend, albeit still young, is worrisome because access to third-party applications creates a large attack surface. On average, end-users in organizations grant more than 440 third-party applications access to their Google data and applications. One organization in Netskope’s report has 12,300 different plugins accessing data – an average of 16 plugins per user.
To add to that, a little less than half of all third-party applications accessing Google Drive have access to sensitive data or all data on a user's Google Drive, further incentivizing criminals to create fake third-party cloud apps.
"With the prevalence of cloud applications and the changing nature of how they are used, from Chrome extensions or app add-ons, users are being asked to authorize access in what has become an overlooked attack vector," said Canzanese. “Organizations need to ensure that new attack paths such as OAuth authorizations are restricted or locked down.”
Netskope and Canzanese provide other steps organizations should take to identify and control access to phishing sites or applications. Organizations need to deploy a security service edge cloud platform with a secure web gateway, enable zero trust principles for least privilege access to data and continuous monitoring and use Remote Browser Isolation to reduce browsing risk for newly-registered domains.
With phishing attacks evolving and becoming more sophisticated, organizations as well as employees need to be more aware to better protect confidential information.
Edited by
Erik Linask
