How to Save Your Business From Consent Phishing

• Users are becoming wiser when creating stronger passwords and using multi-factor authentication.
• Cybercriminals have upgraded their attack techniques to bypass the password altogether with consent phishing, where the user is tricked into granting access to malicious apps.
• Here are strategies you can adopt and apply to safeguard your enterprise against consent phishing.

Cybersecurity is a game of moves and countermoves. Threat actors target a particular attack avenue to gain access to your enterprise. Cybersecurity teams then reinforce that area to mitigate the threat. The hackers then perform a flanking maneuver to target another area of vulnerability, and so on. It is an incessant process that seems to have no end.

Credential stuffing attacks have been the rage for years now. In a credential stuffing attack, threat actors use automated tools to exasperate large numbers of stolen or leaked usernames and passwords against a website or cloud service. To be successful, these attacks rely on two conditions. They count on people reusing the same password for multiple sites and banks on the premise that the targeted organization does not utilize multi-factor authentication (MFA). Without MFA, attackers can seize control of an account by simply guessing the password.

The good news is that users are becoming better educated about cyber hygiene today and mixing up their passwords better. Many organizations have at least enabled MFA for their privileged accounts. Because password compromise isn’t as easily attainable now, cybercriminals are seeking other ways that bypass the necessity of passwords. One of those new tactics is called consent phishing.

What Is Consent Phishing?

Consent phishing is defined as a type of attack that threat actors use to trick victims into granting a malicious app permission to access sensitive data or resources.

What makes this attack effective is that it doesn’t require the attacker to compromise the user’s password. Instead of stealing a user’s password, which is the primary objective of conventional phishing attacks, the user is manipulated into granting permissions to the malicious app that the attacker controls. In other words, your organization can have a strict password policy, require MFA for all users, and still be prone to consent phishing.

How a Consent Phishing Attack Works

Here is the basic play-by-play of a consent phishing attack.

1. An attacker creates a malicious app that impersonates a legitimate app or service, such as a well-known cloud storage app or native-cloud productivity app. The app is designed to request access to the data or resources that the legitimate app would require to do its job. For instance, the app might need read access to the user’s files or permission to send messages on behalf of the user.
2. The attacker sends a phishing email or social media message with an embedded link directing the user to install the malicious app.
3. The user clicks the link thinking it is legit and is directed to a legitimate account login page such as Microsoft or Google. The page then shows the permissions that the app is requesting consent for.
4. Once the user grants the requested permissions, the malicious app can access the data or resources it wants to connect to. The attacker now uses that access to exfiltrate data, send spam, or countless other things.

See More: What Is Phishing? Definition, Types, and Prevention Best Practices

Consent Phishing Takes Advantage of the OAuth Process

If you think that the consent phishing attack methodology sounds a lot like open authorization (OAuth), you are correct. In fact, another name for consent phishing is OAuth phishing.

OAuth is an open standard protocol that allows applications to interact with other applications or attain limited access to a user’s data. Because it decouples authentication from authorization, it does not require a password. OAuth works over HTTPS with access tokens instead of credentials to authorize applications, devices, APIs, and other objects. The OAuth process breaks down into four primary steps:

• The app requests authorization from a user
• The user authorizes the app and provides proof
• The app presents proof of authorization to a server to get a token
• The token is restricted to the access granted by the user

Users may assume the request is legitimate because the OAuth consent screen is most often hosted on a trusted platform such as Google or Microsoft. Unfortunately, once a user grants permissions to an app, that app can potentially have access to a wide range of capabilities involving the user’s data. Once granted, the app can use those permissions until they are revoked at some point. The increased use of cloud-based applications and services that rely on OAuth for authorization and access management creates greater opportunities for threat actors to use consent phishing.

See More: Top 10 Anti-Phishing Software in 2021

Steps to Help Mitigate Consent Phishing Attacks

Because consent phishing attacks can bypass traditional security measures such as password policies that so many organizations depend on, these attacks can prove difficult to detect and stop. Here are some security tips to protect against these new threats.

1. Train users about OAuth: While most users certainly understand the purpose of passwords and the risks they entail, many users don’t understand the OAuth process. All they know is that they are being directed to a site like Microsoft that then asks them to take some sort of action which they willingly agree to. While standard users don’t have to understand everything about the OAuth process, they should be educated on its purpose and risks.
2. Carefully review any requested permissions: This is the equivalent of always reading the fine print when you sign a contract. Ensure that users and administrators review the permissions that an app is requesting and have them understand when those permissions might be excessive.
3. Educate users about trusted sources: Encourage your users only to use applications from trusted sources and vendors. Provide an approved vendor list that is available for everyone.
4. Do not rely on application names or domain URLs as a source of authenticity: These are easily and regularly spoofed by attackers so that they appear as legitimate sources. Always validate the source of the domain URL.
5. Upgrade your email security system: Use a modern intelligence-driven email security system that draws from telemetry data to detect and block suspicious emails. Users should also be taught to identify emails that appear awkwardly written or don’t look right, as these are often signs of possible phishing.
6. Conduct routine audits of your applications and consented permissions: This should be done across the organization to ensure only legit or authorized applications are in use and that their permitted access adheres to the principle of least privilege.
7. Check application control policies: When possible, enforce application control policies for all users, as some security control platforms allow administrators to assign which applications users can grant permissions to.

Always ensure you have a multilayered cybersecurity strategy to prevent attackers from gaining consent to compromise your organization.

Have you faced any consent phishing attacks? How are you protecting your organization against upgraded cybersecurity risks? Share your thoughts with us on FacebookOpens a new window , TwitterOpens a new window , and LinkedInOpens a new window . We’d love to hear from you!

Image Source: Shutterstock

MORE ON PHISHING

• What Is a Phishing Email Attack? Definition, Identification, and Prevention Best Practices
• What Is Vishing? Definition, Methods, and Prevention Best Practices for 2022
• Whaling vs. Spear Phishing: Key Differences and Similarities
• Spear Phishing vs. Phishing: Key Differences and Similarities