Crimeware: Phishing Scheme Gives Bad Guys Access to Your Cloud Data

As online users become more sophisticated, hackers are becoming more sophisticated as well. Early phishing attacks relied on users clicking links without paying attention to where the links took them. For example, a hacker would create a page that looked just like the PayPal login page, but it was actually a fake page used by the bad guys to capture log in information from people who believed they were signing into their PayPal accounts.

Today, there are new twists to the old phishing scams. The usual tipoff in a phishing scam is that the user is sent to a domain impersonating the real one. It might be paypal.log-in.com instead of paypal.com, for example. In one recent scam, however, users who clicked on a malicious link to login.microsoftonline.com were taken to Microsoft’s actual login page. The catch is that there is code appended to the link that tells Microsoft to forward an authentication token to officesuited[.]com, a site controlled by the hackers. The user is then sent to a page that grants permissions to access the user’s email, contacts, files, mailboxes, and more. This same approach could be used with other cloud providers. In fact, Gmail was targeted by a similar tactic in 2017.

Why would users grant these permissions? If they do not know there is a malicious actor involved, users may not be concerned. We have been conditioned to click and agree when presented with options. According to Michael Tyler of Phishlabs.com, “We can look at the reason phishing is still around and it’s because people are making decisions they shouldn’t be making or shouldn’t be able to make. Even employees who are trained on security are trained to make sure it’s a legitimate site before entering their credentials. Well, in this attack the site is legitimate and at that point their guard is down. I look at this and think, would I be more likely to type my password into a box or more likely to click a button that says ‘okay’?”

Because the login happens at Microsoft’s website, two-factor authentication would not protect users. And once access has been given to this malicious app, even changing the password would not prohibit the hackers’ access.
Microsoft provides instructions for rescinding illicit consent grants, but the best way for users to avoid this issue is to carefully review the entire URL when installing apps and granting permissions. Look for links to unfamiliar sites and odd URLs. System administrators can block users from installing any apps or limit them to apps from the official Microsoft store.