The evolution of phishing: Reeling them in from the cloud

Awareness of phishing has grown significantly in recent years, and users are more suspicious than ever of emails that land in their inbox from unknown or questionable senders. In response to this, cybercriminals have had to become savvier with their phishing tactics. They’ve looked to new methods of phishing that are harder for users to expose. The latest of these phishing tactics uses spoofed cloud applications – a new trend that businesses need to watch out for.

Early phishing

Phishing was once all about simplistic deception. A cybercriminal would pose as, for example, a government official or customer service representative, and contact an unknowing victim. The victim, wanting to comply with the law or prevent their account being shut down, would happily and unwittingly give over their personal details to the cybercriminal.

However, this form of scam has started to decline in success. As phishing became more and more popular within the threat landscape, user awareness and understanding about it increased. Users are now less likely to openly share personal information or open suspicious attachments. They also know to look for poor spelling, grammar or strange email addresses when looking through their inbox. Technology, too, caught up with traditional phishing methods: major email providers now tend to alert users of a questionable email or source domain. Similarly, spam filters block large numbers of phishing emails before they even reach their recipients.

Most businesses are now well equipped to defend themselves from traditional phishing attacks, so phishers have had to think of more innovative ways to trick the average person; phishing has had to become more sophisticated. The motivation of phishing attacks is now also shifting: rather than tricking employees into disclosing financial or personal information, hackers are now far more interested in collecting valid business credentials.

Phishing today

Phishing in the cloud is the newest method used by phishers today. Take this year’s Gmail phishing scam, which impacted an estimated one million accounts. The widespread attack replicated through people’s Gmail contacts when they clicked on a bogus Google Doc that appeared to have been shared by a known contact. Part of what was so startling about the scam was how believable it was; hackers used a deceptively named web app – working from within Google’s system for developers. By calling a malicious third-party app “Google Docs,” the attackers were able to trick people into thinking they were being asked to click on a legitimate document, when in fact they were granting account access to hackers. Hackers could then use this permission to see victims’ contacts, read their emails, track locations, and see files created in G Suite.

This attack underscores the security risks of OAuth, which Google uses to streamline authentication. Through OAuth, users don’t have to hand over any password information. They instead grant permission so that one third-party app can connect to their Internet accounts for, say, Google, Facebook or Twitter.

In the Google attacks, hackers exploited this capability, aware that the user could grant them access to their personal information without even needing to re-enter their login details. As the phishing scam shows, the existence of such protocols makes it easier for users to allow access to third party applications, but in turn, makes it easier for hackers to also get access without needing the credentials themselves.

The Google phishing scam’s success relied on psychological manipulation. By impersonating Google Docs, hackers automatically gained the trust of a number of users – just a small change in how the application domain was disguised successfully convinced users that the application was trustworthy.

Next-gen phishing

Whilst traditional phishing scams now fail to reel in most of us – with their suspect spelling and senders – the Google Docs phishing attack demonstrated how a new breed of cloud phishing can trick even some of the most tech-savvy users. Next-generation phishing will see hackers manipulate user trust further by creating malicious applications disguised as legitimate applications, which users download and use. The widespread adoption of SaaS applications has made this an attractive vector for threat actors, and one that has not yet been exploited to its full potential.

In response to the Gmail attacks, Google implemented a number of new security measures: machine learning, improved email filtering, and malicious URL detection, all of which improve email security. Some providers now even give users a warning when they attempt to reply to an email address that is outside of their corporate domains, which is very useful within the workplace.

Although cloud providers will do their best to prevent and warn users of phishing scams, some individuals will still get hooked on a phisher’s line. Employee training therefore remains the first bastion of defence against phishing attacks. Enterprises should also consider investing in security technologies that can detect these threats as they advance.