未加星标

Innovative Phishing Tactic Makes Inroads Using Azure Blob

字体大小 | |
[系统(windows) 所属分类 系统(windows) | 发布者 店小二04 | 时间 2018 | 作者 红领巾 ] 0人收藏点击收藏

A brand-new approach to harvesting credentials hinges on users’ lack of cloud savvy.

A fresh tactic for phishing Office 365 users employs credential-harvesting forms hosted on Azure Blob storage signed with legitimate Microsoft SSL certificates to lend an air of legitimacy.

Azure Blob Storage is a cloud storage solution for hosting unstructured data such as images, video or text. The storage can be accessed using both HTTP and HTTPS connections, and when using HTTPS, a signed SSL certificate from Microsoft will be displayed.

According to Netskope , a recent phishing attack saw attackers sending spam with PDF attachments, which were disguised as documents of a law firm in Denver. The file name displayed “Scan files…, please review,” and the email contained a download button with a link.

When the user clicks on the button, they’re directed to an HTML page that appears to be the Office 365 login form stored in the Microsoft Azure Blob storage solution. There’s very little to tip off the recipient that the link is malicious; the address is a valid Blob address (containing “blob.core.windows.net” in the URK), and it’s marked as a secure site thanks to the SSL certificate. Even if the user checks the certificate, he or she will see a signature issued by Microsoft IT TLS CA 5.


Innovative Phishing Tactic Makes Inroads Using Azure Blob

Once the user enters the login information, the information is whisked away to the attacker, while the page will claim to be “preparing the download” of the supposed legal documents. Eventually, it redirects the user to a Microsoft SharePoint product page .

This particular attack instance observed by Netskope was a very targeted attack, but the firm has seen an increase in gambits just like it within the last two months at least 10 campaigns, according to Ashwin Vamshi, security researcher at Netskope.

“We expect such attacks to likely get more sophisticated and grow in popularity among threat actors because the combination of the Microsoft domain, certificate and content make this bait particularly convincing and difficult to recognize as phishing,” he told Threatpost, in an interview.

Propagation could increase as well thanks to what Netskope calls the “cloud-phishing fan-out effect.”

“In simple terms, ‘fan-out effect’ refers to a malicious artefact (file/email) being shared with a group of users via trusted means (an IT-sanctioned application or shared cloud storage folder), thus increasing the attack scope instantly,” said Vamshi. “The results in the occurrence of a secondary propagation vector when a victim inadvertently shares the phishing document (often email attachments that are saved to cloud storage services) with colleagues, whether internal or external, via a cloud service.”

When this sharing occurs, the second recipient is more likely to trust the file as though it was created by the first recipient of the attack attachment. As this propagates to additional users, the number of users potentially affected by the phishing attack can increase exponentially.

“Enterprise security teams have largely turned a blind eye to the cloud being a new threat vector,” Vamshi said. “Cloud services are built for increased collaboration and productivity, and provide capabilities like auto-sync and API-level communication; these capabilities also help attackers quickly propagate an attack within an environment. In addition, users access cloud services from any location and any device, making it difficult to not only determine attacks but also to remediate them.”

Organizations can combat this cloud phishing gambit which Vamshi said represents an innovative new approach on the cybercrime scene by educating users about non-standard web addresses for Azure, Google and Amazon Web Services, so they can recognize these and know they’re not an official Microsoft domain.

“Traditional security awareness trainings have not evolved to address the modern usage of cloud; most end users are savvy enough now to understand that links that include random IP addresses or suspicious sounding domain names should not be clicked on, but they don’t have a similar awareness of risk associated with cloud services,” Vamshi told us. “It is always a best practice to check the domain of the link and compare them with the domains typically used for logging in to sensitive services.”

For instance, in the attack detailed here, users in the know about cloud addresses could recognize that the phishing site (https://onedriveunbound80343[.]blob.core.windows.net/exceltyrantship68694/excel-login-1.html) is hosted in Azure Blob storage, and is therefore not an official Microsoft website.

He added that attacks such as this also highlight the need for other best practices: Enterprises to understand the shared responsibility model and identify security controls they’re responsible for; evaluate gaps in security controls created by adoption of cloud; protect against new evasion techniques leveraged by attackers; and educate security professionals as well as end users on safe usage of cloud.

本文系统(windows)相关术语:三级网络技术 计算机三级网络技术 网络技术基础 计算机网络技术

tags: cloud,users,attack,phishing,Microsoft,storage
分页:12
转载请注明
本文标题:Innovative Phishing Tactic Makes Inroads Using Azure Blob
本站链接:https://www.codesec.net/view/604951.html


1.凡CodeSecTeam转载的文章,均出自其它媒体或其他官网介绍,目的在于传递更多的信息,并不代表本站赞同其观点和其真实性负责;
2.转载的文章仅代表原创作者观点,与本站无关。其原创性以及文中陈述文字和内容未经本站证实,本站对该文以及其中全部或者部分内容、文字的真实性、完整性、及时性,不作出任何保证或承若;
3.如本站转载稿涉及版权等问题,请作者及时联系本站,我们会及时处理。
登录后可拥有收藏文章、关注作者等权限...
技术大类 技术大类 | 系统(windows) | 评论(0) | 阅读(12)