Awareness of phishing has grown significantly in recent years, and users are more suspicious than ever of emails that land in their inbox from unknown or questionable senders. In response to this, cybercriminals have had to become savvier with their phishing tactics. They’ve looked to new methods of phishing that are harder for users to expose. The latest of these phishing tactics uses spoofed cloud applications – a new trend that businesses need to watch out for.

Early phishing

Phishing was once all about simplistic deception. A cybercriminal would pose as, for example, a government official or customer service representative, and contact an unknowing victim. The victim, wanting to comply with the law or prevent their account being shut down, would happily and unwittingly give over their personal details to the cybercriminal.

However, this form of scam has started to decline in success. As phishing became more and more popular within the threat landscape, user awareness and understanding about it increased. Users are now less likely to openly share personal information or open suspicious attachments. They also know to look for poor spelling, grammar or strange email addresses when looking through their inbox. Technology, too, caught up with traditional phishing methods: major email providers now tend to alert users of a questionable email or source domain. Similarly, spam filters block large numbers of phishing emails before they even reach their recipients.

Most businesses are now well equipped to defend themselves from traditional phishing attacks, so phishers have had to think of more innovative ways to trick the average person; phishing has had to become more sophisticated. The motivation of phishing attacks is now also shifting: rather than tricking employees into disclosing financial or personal information, hackers are now far more interested in collecting valid business credentials.

Phishing today

Phishing in the cloud is the newest method used by phishers today. Take this year’s Gmail phishing scam, which impacted an estimated one million accounts. The widespread attack replicated through people’s Gmail contacts when they clicked on a bogus Google Doc that appeared to have been shared by a known contact. Part of what was so startling about the scam was how believable it was; hackers used a deceptively named web app – working from within Google’s system for developers. By calling a malicious third-party app “Google Docs,” the attackers were able to trick people into thinking they were being asked to click on a legitimate document, when in fact they were granting account access to hackers. Hackers could then use this permission to see victims’ contacts, read their emails, track locations, and see files created in G Suite.

This attack underscores the security risks of OAuth, which Google uses to streamline authentication. Through OAuth, users don’t have to hand over any password information. They instead grant permission so that one third-party app can connect to their Internet accounts for, say, Google, Facebook or Twitter.

In the Google attacks, hackers exploited this capability, aware that the user could grant them access to their personal information without even needing to re-enter their login details. As the phishing scam shows, the existence of such protocols makes it easier for users to allow access to third party applications, but in turn, makes it easier for hackers to also get access without needing the credentials themselves.

The Google phishing scam’s success relied on psychological manipulation. By impersonating Google Docs, hackers automatically gained the trust of a number of users – just a small change in how the application domain was disguised successfully convinced users that the application was trustworthy.

Next-gen phishing

Whilst traditional phishing scams now fail to reel in most of us – with their suspect spelling and senders – the Google Docs phishing attack demonstrated how a new breed of cloud phishing can trick even some of the most tech-savvy users. Next-generation phishing will see hackers manipulate user trust further by creating malicious applications disguised as legitimate applications, which users download and use. The widespread adoption of SaaS applications has made this an attractive vector for threat actors, and one that has not yet been exploited to its full potential.

In response to the Gmail attacks, Google implemented a number of new security measures: machine learning, improved email filtering, and malicious URL detection, all of which improve email security. Some providers now even give users a warning when they attempt to reply to an email address that is outside of their corporate domains, which is very useful within the workplace.

Although cloud providers will do their best to prevent and warn users of phishing scams, some individuals will still get hooked on a phisher’s line. Employee training therefore remains the first bastion of defence against phishing attacks. Enterprises should also consider investing in security technologies that can detect these threats as they advance. 

Enterprise cloud adoption rates continue to rise at unprecedented rates as more businesses realise the benefits these services can bring.

However, perhaps predictably, this explosive growth has also given rise to a host of new cyber threats as criminals look to capitalise on changing business habits for their own ends. At the top of the list are two familiar threats; malware and ransomware, which unfortunately now have the potential to compromise more data than ever before, thanks to the interconnected nature of the cloud.

there is a shortage of proactive cloud malware solutions, even amongst industry leading vendors

Despite this, a worryingly low number of cloud service providers are yet to offer dedicated protection against malware in the cloud. While Office 365, G Suite, and Azure have the ability to identify common ‘known’ malware, when it comes to defending against zero-day attacks, most come up short. Today, there is a shortage of proactive cloud malware solutions, even amongst industry leading vendors. Because of this, most businesses are unable to defend their entire cloud application portfolio effectively.

What’s more, the biggest threats don’t come from known malware, but unknown, zero-day attacks that can take weeks or even months to discover. By that point, they have often already had a devastating effect on the target due to extensive data exfiltration. Once advanced malware makes its way into a cloud app, there’s often very little that can be done to contain and eliminate it. And, it only takes one infected endpoint to spread malware via the cloud, making defending against it extremely difficult.

Until we see an emergence of dedicated solutions to bolster malware defences in the cloud, organisations should take a proactive approach to keeping their sensitive cloud-based data protected. The following five areas are the most important to consider:

Tackle zero-day threats

As malware becomes increasingly sophisticated and stealthy, effective zero-day protection can help businesses stay a few steps ahead. These tools can combat advanced threats with static analysis, basing a risk decision on hundreds of different characteristics associated with any given file. They can then identify threats based on their behaviour, even before they have been found in the wild.

Scan data flowing to endpoints

Most cloud platforms don’t come equipped with advanced threat protection, which means third-party security solutions that protect are essential. However, not all solutions are equal, so it is recommended that businesses stack up endpoint protection to the highest possible standards.

The best solutions will catch most malware coming to endpoints, which includes both desktops and laptops. Given that it is not uncommon for large businesses to have hundreds of cloud apps, the solution needs to work across all applications, rather than working solely on one or two apps.

Dedicated BYOD protection

While dedicated endpoint security solutions can be effective in securing managed devices, unmanaged BYOD assets often go unprotected. In order to deal with this, organisations need a means of enabling secure upload and download of files from unmanaged endpoints. This should deliver a frictionless user experience, whilst ensuring corporate data remains secure and regulatory compliance requirements are met.

Prevent malware from spreading

Should a network become infected, preventing the spread of malware is critical in order to maintain the integrity of as much data as possible.

Advanced Threat Protection technologies can help businesses to detect and block known and unknown malware before it hits a cloud application. This adds an important layer of protection that can significantly slow, or even stop a malicious attack in progress.

Rethink enterprise app security

Unlike unsanctioned or unknown web services, enterprise productivity apps such as G Suite and Office 365 are built to be functional and secure. As a result, most people have little concern about downloading corporate documents or attachments from these services.

these apps contain many of the same flaws as other online services

Unfortunately, malicious individuals readily exploit this trust as these apps contain many of the same flaws as other online services, and feature limited security protections. In many cases, there is a strong likelihood that they’re hosting malware, just like any other app. Vigilance can play a leading role here; employees should be incentivised to flag anything suspicious and apply the same common-sense approach to downloading files that they would for any other application.

The rise of enterprise cloud solutions has greatly benefited organisations, but also introduced new security concerns that continue to evolve. Zero-day malware attacks in particular can have a devastating effect if given free reign across cloud applications.

Organisations need a combination of existing, advanced tools to make sure they have an effective line of defence, capable of keeping out even the most determined attackers.