Advice From George W. Bush: New Phishing Campaigns Utilize Malware-less Payload
"Our enemies are innovative and resourceful, and so are we. They never stop thinking about new ways to harm our country and our people, and neither do we." – US President George W. Bush
While George W. Bush was talking about the terrorist organization Al Qaeda, this statement proves equally true in the cat-and-house game played between security researchers and malware authors. Two newly documented phishing attacks demonstrate the creativity and ingenuity of malware authors by developing new attacks to bypass traditional phishing security controls. It is no longer is it enough to simply ingest a security feed of known phishing sites and block those destinations by DNS or content filtering solutions. It often takes out-of-the-box thinking and top level security research to anticipate new attack vectors and stay one step ahead of attackers.
Attackers have turned their focus to using legitimate cloud services in order to perpetrate their phishing campaigns. A new phishing campaign uses the e-signing service Docusign in order to steal sensitive information from unsuspecting users. The attack is simple, straightforward, and meant to bypass traditional phishing controls. An attacker sends out e-mails claiming to be from a bank or lender looking to lend money to a business at a competitive rate. If the business accepts the unsolicited offer for a loan, the user is instructed to click on a legitimate Docusign link which takes them to a form to fill out sensitive information including company name, annual revenues, outstanding loan information, and bank account numbers. The Docusign link also instructs users to attach several months with of banking statements, a reasonable request if this were a legitimate loan offer. Once the user fills out the legitimate Docusign form and attaches the requested bank statements, the attackers have all they need to drain the accounts.
Since Docusign is a legitimate cloud application that assists organizations with providing legally-binding signatures electronically, it is almost always allowed through content filtering and firewall solutions. Since users receive a legitimate Docusign e-mail and there is no malicious payload, traditional phishing detections will likely not catch this type of attack. Traditional Data Loss Prevention controls combined with SSL Inspection may catch the exfiltration of bank statements if they have been properly tagged and classified, or if a cloud-based DLP solution is configured to look for specific patterns and phrases found in financial statements. However, a DLP solution with SSL Inspection and Exact Data Match (EDM) would be required to prevent the exfiltration of sensitive data in the Docusign form. Exact data match allows the exfiltration detection of even a single record containing sensitive information. For example, if the company name, identification number, and bank account number appear in the same transaction, it can be blocked through the use of EDM.
Another phishing attack vector leverages the increasing popularity of using third party services such as Facebook to log into websites, commonly known as Open Authentication (OAUTH). OAUTH allows websites to require users to log in without shouldering the burden of account creation or password storage. Website owners must balance the security of requiring users to login in an attempt to prevent the proliferation of spam comments, but reducing the amount of friction users encounter by creating yet another account and remembering yet another password.
Security researchers recently uncovered a clever attack using HTML blocks to mimic an OAUTH window. The OAUTH window looks very convincing, displaying the URL of the website the user is expecting, such as facebook.com, a green padlock or address bar indicating the site employs HTTPS, and even a menu bar to make it appear as a pop up window and not an HTML block. Unsuspecting users who enter their credentials into the fake pop-up, believing they are logging into the website will actually have them stolen and sent to the attacker. This is another phishing attack that does not use a malicious payload that would be caught using traditional phishing controls. Simple DNS-based filtering solutions will allow access to these websites and allow users to enter their credentials into the fake pop-up to be phished. A full inline security proxy with SSL Inspection would be able to inspect every element on a webpage and detect phishing attacks based on heuristics rather than signature match. If a website has the words “Facebook”, “Login”, and “Password”, but is not linked to facebook.com, that is an indication a user is on a suspected phishing site and access can be blocked to protect the user.
The use of two-factor authentication significantly reduces, but does not eliminate the risk of account compromise due to phishing. SMS-based two factor is still useful, but subject to trivial attack methods. Time-based One Time Password (TOTP) such as Google Authenticator or RSA SecurID are more secure, but still subject to man in the browser attacks. The use of a physical token such as a YubiKey that requires proof of physical presence (touching the token while it’s inserted) would be the most secure.
Security researchers can never take a break from thinking of new and clever attack methods. In the same way, organizations cannot simply rely on traditional on-premise security controls or DNS-based solutions to protect users once they leave the office. It takes a true cloud-based security architecture with SSL Inspection and DLP capabilities to stop the next generation of attacks.