Despite Google’s quick response, early May’s massive, high-profile OAuth phishing attack impacted about 0.1% of Gmail users, which is over a million people. This “phish of a different color” exploited Open Authorization, a widely adopted open protocol that gives third-party services access to web, desktop, mobile and browser-based apps—without authentication. Cloud-based platforms from Salesforce to Office 365 to LinkedIn to Twitter rely on OAuth.
What made this OAuth phishing exploit so potent is it didn’t try to steal login credentials via a fake website like a typical phishing scheme. Instead, it presented a “real” app that happened to be a fake-but-convincing version of Google Docs, which requested permission via OAuth to read, write and access the recipient’s emails. If permission was granted (by simply clicking a button), the attack spread via the compromised address book, sending credible invitations to people known to the victim. Fortunately, no data was exposed in the attack beyond contact information.
Changing authentication credentials won’t stop this kind of exploit. Once OAuth permission has been granted to a bogus app, the victim needs to revoke it. In this case, Google took care of that step when it shut down the app. But in future instances users may need to do that on their own, using whatever web page manages OAuth permissions for the compromised service.
No doubt more and more hackers will now create OAuth phishing scams, especially since so many online services use OAuth and verifying the legitimacy of all those third-party apps (hundreds of thousands) is next to impossible.
This underscores a basic reality of modern life: “think before you click” is still the best defense your business has. Indeed, the majority of hackers surveyed in the recent “Black Report” thought security awareness education was a highly effective countermeasure against cyber attacks.
Unaware employees are the worst threat your company faces. The best technical controls and the most comprehensive information security policies on the planet cannot protect your data if your “human firewall” can be easily breached.
Training is most effective when it is simple, engaging, relevant, and regularly reinforced. Explore our website to try a free demo of Pivot Point Security’s online security awareness education, and download our free infographic on detecting phishing scams.