Consent Phishing: Cyber Criminals Want More Than Your Password

Reliance on cloud services has increased in conjunction with the recent shift to remote work, education, and healthcare. Cloud computing allows data to be stored and accessed via the Internet rather than on a local computer. Use of cloud collaboration apps such as Zoom, Webex, and Microsoft Teams, has grown dramatically.  As a result., application-based attacks are becoming more prevalent as society pivots to these virtual tools. Capabilities inherent in applications are being used to gain unauthorized access to people’s data.   

This societal shift to a greater online presence has compelled hackers to leverage application-based attacks to obtain access to valuable data stored in the cloud. Apps are being built to integrate account and organizational data from cloud platforms to enhance the online experience. The vast amount of information stored in the cloud is a lucrative target for cyber criminals. Consent phishing is an emerging tactic meant to trick people into granting a malicious app access to sensitive data stored in the cloud.

A recent Microsoft Security Blog outlined the basic steps of an attack, demonstrating the evolving and sophisticated methods cyber criminals are using in their quests to steal your valuable data. The steps include:

1. Attackers register an app with an OAuth 2.0 provider, such as Azure Active Directory. OAuth is an open standard protocol for authorization that delegates authentication to the service that hosts the account, thus allowing websites or applications access to their information without providing passwords. For example, when you use your Facebook or Google account to login in to another application.
2. The app is configured to appear trustworthy. For instance, the name of a similar product may be used.
3. A link is provided via a phishing email or by compromising a valid website.
4. When the link is clicked, an authentic consent prompt appears and requests permission to access data.
5. If “Accept” is clicked, the malicious app is granted permission to access your data.
6. The app gets an authorization code that it redeems for an access token and possibly a refresh token.
7. The access token is used to make API (Application Programming Interface) calls on behalf of the targeted individual. An API  allows interaction between two applications.
8. If the call from the API is accepted, the attacker gains access to sensitive data, which may include mail, files, contacts, and other resources.

Security Best Practices to Avoid Consent Phishing

• Understand the data and permissions requested by an application.
• Check for poor spelling and grammar in emails and on application consent screens.
• Make sure you recognize app names and website addresses before clicking “Consent” on applications.
• Carefully check app names, website addresses, and email addresses. Be aware that they are sometimes slightly modified to look legitimate. Typosquatting takes advantage of common misspellings, slightly modified email and website addresses, or application names to re-direct people to malicious websites.
• Hover over a link to determine if it’s legitimate.
• Always open a browser and hand type the website address before clicking on the link in the email.
• Only obtain and download apps from official app stores.
• As always, approach all email with heightened attentiveness and focused attention.
• Carefully check the “From” email address and domain. If you have the slightest doubt, do not click on any links or attachments and delete the email immediately.
• If you receive a suspicious email:
  • Do not click any link or attachment. Delete the email immediately.
  • Do not unsubscribe from the list. Delete it immediately. Very often attempting to unsubscribe also executes malicious activities.