Skip to main content

Microsoft neuters Office 365 account attacks that used clever ruse



Microsoft has neutered a large-scale fraud campaign that used knock-off domains and malicious apps to scam customers in 62 countries around the world.
The software maker and cloud-service provider last week obtained a court order that allowed it to seize six domains, five of which contained the word “office.” The company said attackers used them in a sophisticated campaign designed to trick CEOs and other high-ranking business leaders into wiring large sums of money to attackers rather than trusted parties. An earlier so-called BEC, or business email compromise, that the same group of attackers carried out in December used phishing attacks to obtain unauthorized access. The emails used generic business themes such as quarterly earnings reports. Microsoft used technical means to shut it down.
The attackers returned with a new BEC that took a different tack: instead of tricking targets into logging in to lookalike sites, and consequently divulging the passwords, the scam used emails that instructed the recipient to give what was purported to be a Microsoft app access to an Office 365 account. The latest scam used the COVID-19 pandemic as a lure.
“This scheme enabled unauthorized access without explicitly requiring the victims to directly give up their login credentials at a fake website or similar interface, as they would in a more traditional phishing campaign,” Tom Burt, Microsoft’s corporate vice president for Customer Security & Trust, wrote. “After clicking through the consent prompt for the malicious web app (pictured below), the victim unwittingly granted criminals permission to access and control the victims’ Office 365 account contents, including email, contacts, notes and material stored in the victims’ OneDrive for Business cloud storage space and corporate SharePoint document management and storage system.”
Burt cited a 2019 report from the FBI that said BEC crimes caused losses of more than $1.7 billion, almost half of all financial losses caused by Internet crime. BECs were the most costly complaint received by the Internet Crime Center, according to the report. In some of the more well-executed campaigns, executives receive emails that appear to come from managers, accountants, or other people who work for the organization.
Burt didn’t give the name or affiliation of the hackers other than to say they were sophisticated and had carried out the December campaign.

Beware of OAuth


It’s not the first time attackers have tricked targets into granting network access to malicious apps. Last year, researchers disclosed at least two others, both of them designed to gain access to Google accounts. One was carried out by hackers working for Egypt, according to a report from Amnesty International. The other targeted the iOS and Android devices of Tibetans.
Both campaigns relied on OAuth, an open standard that allows users to give websites or apps access to network resources without having to give them a password. As Microsoft said, such attacks often fly under the radar of users trained to spot phishing, since there’s no request to enter a password into a fake site. In some cases, the OAuth technique may have the ability to bypass two-factor authentication, which in addition to a password, requires users to enter a temporary password or to connect a physical security key to the device that’s being authenticated.
Microsoft’s Burt didn’t explicitly say the apps used in the more recent case connected through OAuth. In a separate post published on Wednesday, however, Microsoft warned of “Consent phishing,” in which attackers use the same OAuth method.
Among the advice the Microsoft posts provide to prevent such attacks is to turn on two-factor authentication. It’s always a good idea to turn it on, but it’s not clear how effective the measure alone is at preventing these attacks. Some networks may not require the second factor for OAuth. And even when networks do enforce 2FA for OAuth, targets who are tricked into connecting an app can likely be fooled into supplying the second factor as well.
One way to protect Google and G Suite accounts against OAuth scams is to turn on Advanced Protection, which strictly enforces hardware-based 2FA for every new device or app logging in for the first time. The program also restricts all but a handful of apps from connecting even when a key is provided, so it may not be suitable for all users. It’s possible that other 2FA protections do the same.
Other ways to avoid the scams is to learn the telltale signs of phishing, such as misspelled words, bad grammar, and links to sites that name a company or product but combine it with words that aren’t commonly used by the app maker or website operator. Wednesday’s post provides a variety of ways to spot malicious OAuth apps. These measures are hardly perfect, and as a result, the effectiveness and low cost of phishing makes it one of attackers’ go-to methods for compromising accounts. The steps are nonetheless worth following.

Originally published at https://arstechnica.com 

Comments

Post a Comment

Popular posts from this blog

Facebook updates iOS app to fix issues that let the camera open in the background

The issues were first reported this month This month, some users of Facebook’s iOS app  found that  that, in at least two situations, the app appeared to be activating the camera in the background without a user’s knowledge. Facebook said yesterday that it was submitting fixes for the issues to Apple, and the company tells us that, as of this morning, the updated app is now available for download on the App Store. I’ve downloaded the update to my iPhone 11 Pro, and I can’t get the camera to accidentally activate in either of the scenarios that were reported — but I also couldn’t get it to activate yesterday, so I can’t personally confirm that the issues are fixed. But if we take Facebook at its word that everything is resolved, it’s nice to see that the company acted quickly. Article reference:  https://www.theverge.com/2019/11/13/20963791/facebook-issue-fix-camera-open-background-update-ios-app-store
Post a Comment
Read more

WhatsApp Users Exchanged Over 100 Billion Messages on New Year’s Eve, A New Record

WhatsApp is one of the most widely used communication apps on the planet and as such, clocks an insane number of messages and media exchanges on a daily basis. But the New Year's Eve broke a record that has been standing since WhatsApp's debut a decade ago. WhatsApp has revealed that users exchanged over 100 billion messages on New Year's eve. And out of that number, more than 20 billion messages were shared by Indian users alone. Moreover, around 12 billion out of the 100 billion+ messages shared on the platform were images. WhatsApp wrote in a press release that over 100 billion messages were shared globally on December 31 in the 24-hour duration leading up to the midnight of New Year's Eve. This is a record-breaking volume and is the highest number of messages exchanged in a single day ever since WhatsApp kicked off its services ten years ago. Out of those 100 billion+ messages shared on New Year's eve, WhatsApp says over 12 billion were images. Meanwhile...
Post a Comment
Read more

Lebanese Protesters Are Using This ‘Bridgefy’ Messaging App - What is it?

Bridgefy is an offline messaging app that lets you communicate with friends and family when you don't have access to the Internet, by simply turning on your Bluetooth antenna. Due to WhatsApp outage and the poor internet services, a new offline messaging app known as Bridgefy has started to gain traction among Lebanese protesters. The people are recommending using this app in case there is a shutdown of internet services. Did you know that: 1 billion people aren’t covered by 3G or 4G networks. 3.3 billion people live in areas where the mobile Internet can be accessed but remain without a mobile Internet subscription. 1 billion people own a smartphone but don’t own a data plan. 40% of the world population is forecast to remain unconnected by 2025. These numbers represent huge amounts of potential users that aren’t being reached by mobile apps. Bridgefy keeps your app working even when people do not have access to the Internet. T...
Post a Comment
Read more