Consent Phishing: Cyber Criminals Want More Than Your Password

Reliance on cloud services has increased in conjunction with the recent shift to remote work, education, and healthcare. Cloud computing allows data to be stored and accessed via the Internet rather than on a local computer. Use of cloud collaboration apps such as Zoom, Webex, and Microsoft Teams, has grown dramatically.  As a result., application-based attacks are becoming more prevalent as society pivots to these virtual tools. Capabilities inherent in applications are being used to gain unauthorized access to people’s data.   

This societal shift to a greater online presence has compelled hackers to leverage application-based attacks to obtain access to valuable data stored in the cloud. Apps are being built to integrate account and organizational data from cloud platforms to enhance the online experience. The vast amount of information stored in the cloud is a lucrative target for cyber criminals. Consent phishing is an emerging tactic meant to trick people into granting a malicious app access to sensitive data stored in the cloud.

A recent Microsoft Security Blog outlined the basic steps of an attack, demonstrating the evolving and sophisticated methods cyber criminals are using in their quests to steal your valuable data. The steps include:

  1. Attackers register an app with an OAuth 2.0 provider, such as Azure Active Directory. OAuth is an open standard protocol for authorization that delegates authentication to the service that hosts the account, thus allowing websites or applications access to their information without providing passwords. For example, when you use your Facebook or Google account to login in to another application.
  2. The app is configured to appear trustworthy. For instance, the name of a similar product may be used.
  3. A link is provided via a phishing email or by compromising a valid website.
  4. When the link is clicked, an authentic consent prompt appears and requests permission to access data.
  5. If “Accept” is clicked, the malicious app is granted permission to access your data.
  6. The app gets an authorization code that it redeems for an access token and possibly a refresh token.
  7. The access token is used to make API (Application Programming Interface) calls on behalf of the targeted individual. An API  allows interaction between two applications.
  8. If the call from the API is accepted, the attacker gains access to sensitive data, which may include mail, files, contacts, and other resources.

Security Best Practices to Avoid Consent Phishing

  • Understand the data and permissions requested by an application.
  • Check for poor spelling and grammar in emails and on application consent screens.
  • Make sure you recognize app names and website addresses before clicking “Consent” on applications.
  • Carefully check app names, website addresses, and email addresses. Be aware that they are sometimes slightly modified to look legitimate. Typosquatting takes advantage of common misspellings, slightly modified email and website addresses, or application names to re-direct people to malicious websites.
  • Hover over a link to determine if it’s legitimate.
  • Always open a browser and hand type the website address before clicking on the link in the email.
  • Only obtain and download apps from official app stores.
  • As always, approach all email with heightened attentiveness and focused attention.
  • Carefully check the “From” email address and domain. If you have the slightest doubt, do not click on any links or attachments and delete the email immediately.
  • If you receive a suspicious email:
    • Do not click any link or attachment. Delete the email immediately.
    • Do not unsubscribe from the list. Delete it immediately. Very often attempting to unsubscribe also executes malicious activities.

Emerging Cyber Threats: Phishing, Mobile Banking & Multi-Factor Authentication

As the saying goes, “the only constant is change.” Cyber criminals are constantly adapting and changing tactics to take advantage of current events and find vulnerabilities in our systems.  Here are some developments we are watching closely:

Phishing Schemes:

Termination Phishing Emails: A recent FBI (Federal Bureau of Investigation) Private Industry Notification warned that cyber criminals were taking advantage of the COVID-19 pandemic to target teleworking employees through fake termination phishing emails and VTC (Video Tele-Conference) meeting invites. The bad actors are using spoofed or typosquatted email domains to impersonate Human Resources or management. The emails lure victims to click on malicious links for additional information or online conferences about termination or severance packages.

Voting Campaigns to Spreads Malware: Cybercriminals are also leveraging current emotionally-charged social issues to entice you to click on links you might not otherwise look at. A recent article reported that an email phishing campaign requesting people vote anonymously about current race-related matters was spreading information-stealing malware. In general you should be wary of any surveys you receive.

Security Best Practices to Avoid Threats

  • Approach all email with heightened attentiveness and focused attention.
  • Double-check all emails received.
  • Be aware that sometimes email addresses are slightly modified to look legitimate. This is called typosquatting and takes advantage of common misspellings or slightly modified email and website addresses to re-direct people to malicious websites.
  • Carefully, check the “From” email address and domain. If you have the slightest doubt, do not click on any links or attachments and delete the email immediately.
  • If you receive a suspicious email:
    • Do not click on any link or attachment. Delete the email immediately.
    • Do not unsubscribe from the list. Very often unsubscribe also performs malicious activities. Delete it immediately.

Mobile Banking Cyber Threats

A recent FBI Public Service Announcement warns of mobile banking cyber attacks. According to the advisory, there has been a 50% increase in mobile banking use since the beginning of 2020 due in part to increased time spent at home. Additionally, they report U.S. technology providers estimate more than 75% of Americans used some form of mobile banking in 2019. The FBI issued the following tips:

  • Obtain apps from official app stores or directly from bank websites.
  • Enable MFA (Multi-Factor Authentication) and use the strongest option possible such as biometrics, hardware tokens, or authentication apps.
  • Because layering is a stronger security option, use multiple types of authentications when possible.
  • Monitor where your PII (Personally Identifiable Information) is stored and only share what is absolutely necessary with financial institutions.
  • Do not click links in emails or text messages. Ensure messages come from the financial institution by double-checking email details.
  • Do not provide MFA codes to anyone over the phone or via text. Financial Institutions will NEVER ask for these codes over the phone. Beware there is a scam going around now, and the fraudster pretends to be from the financial institution and requests this information.

If a banking app appears suspicious, contact the bank via the customer service number posted on their website. The bank may ask for a banking PIN but will never ask for username and password over the phone.

Turn on MFA (Multi-Factor Authentication)

A recent Krebs on Security Blog warned that not turning on MFA makes accounts vulnerable to exploitation by cyber criminals. Increasingly, bad actors are enabling MFA options and attaching them to devices they control making it much more difficult to regain access when an account is hacked. This risk increases for people who habitually reuse or recycle passwords on multiple accounts. It also cautions that many online sites and services are completely automated and difficult to reach for help when account takeovers occur. This is especially challenging if attackers modify and/or remove the original email address associated with the account. Any MFA option is better than relying on a password alone, but it is best to use the strongest option available such as biometrics, hardware tokens, or authentication apps. For a list of MFA options offered by popular websites, visit twofactorauth.org.

Autonomous Vehicles: Why Drive When the Vehicle Drives You

The idea of being effortlessly chauffeured by self-driving cars or autonomous vehicles (AV), has been a dream of futurists for several decades. They envision a time where businesses and consumers will use the technology to transport goods and people alike.

We’re pleased to share our latest whitepaper titled, “Autonomous Vehicles: Why Drive When the Vehicle Drives You” authored by OneBeacon’s Tushar Nandwana.  In this whitepaper, he provides an overview of the history of Autonomous Vehicle development, pros and cons of the technology as well as considerations for the future of the market.  

More whitepapers can be found at onebeacontech.com/whitepapers.

COVID-19: Unprecedented Surge of Cyber Threats

As the world acclimates to our “new normal,” cyber criminals persist in exploiting COVID-19. The sudden growth in remote work, virtual education and healthcare, along with the surge in online shopping and society’s hunger for pandemic-related information have created a lucrative environment. It is important be on-guard, with increased vigilance around your personal and professional cyber defense.

What we’re seeing:

  • A significant number of coronavirus-based domain names have been registered, and many will be used to steal information or spread malware.
  • Cyber security research firm Sophos Labs reported over 42,000 websites with domain names containing “COVID” or “corona” had been newly-registered.
  • In addition, at the end of March researchers at Barracuda Networks had seen a 667% increase in pandemic-related phishing attacks.

The tactics used by cyber criminals will evolve to take advantage of emerging developments including contact tracing, which is expected to ramp up. Be cautious of any notifications regarding interactions with someone who has tested positive or shown symptoms. Furthermore, be suspicious of COVID-19 testing requirements purportedly from the government or a healthcare organization. Scammers often convey a false sense of urgency to scare people into providing health insurance, personal and/or financial information.

Security Best Practices to Avoid Threats

  • Approach all email with heightened attentiveness and focused attention.
  • Beware that sometimes email addresses are slightly modified to look legitimate. Carefully check the “From” email address and domain. If you have the slightest doubt, do not click on any links or attachments and delete the email immediately.
  • Be aware that typosquatters take advantage of common misspellings or slightly modify website addresses to re-direct people to malicious websites:
    • Do not click on any links.
    • Check the website spelling.
    • Hover over a link to determine if it’s legitimate.
    • Open a browser and type the website address.
    • Only load apps from the Google Play Store and Apple App Store.

COVID-19: Cyber Attacks Increasing

In  uncertain or chaotic times, the last thing many of us think about is Cyber security. Cyber criminals will take advantage of such distraction and create new ways of targeting the public. That is the case currently, where several types of new attacks have been discovered that leverage the public’s concern generated by COVID-19. So as you are surfing the web for information or trying to adjust to a remote work situation, please be sure to practice extra cyber security vigilance.

Here are some best practices you can follow to avoid COVID-19 cyber scams and attacks:

Malicious Phishing Emails:
Approach all email with heightened attentiveness and focused attention.

  • Double check all emails received that contain a subject line mentioning: Pandemic or related terms such as COVID-19 or Coronavirus; Any health organization; Advertisements for masks, hand sanitizers, or any products that are in short supply
  • Are from an authoritative figure or health organization
  • If you work from home, look carefully at all emails that come from outside your organization.
  • If you are suspicious, do not click any link or attachment and delete the email immediately

Infected Infographics, Maps, and Tracking Apps:
Infographics and maps promising to give you more information about the pandemic are multiplying on the Internet. Malicious tracking apps are locking devices and demanding a ransom fee.

  • Do not download COVID-19 infographics or maps from unofficial sites. Clicking on a link may install malware on your computer.
  • Go directly to official websites like the CDC or WHO for current information pertaining to COVID-19.
  • Do not click on a link directly, instead: STOP and check the website spelling. Open a browser and hand type the website address.
  • Never enter data that a website should not be requesting – for example, a public website like the CDC will not request login credentials.
  • Only load apps from the official stores for Android (Google Play Store) and IOS (Apple App Store).