Microsoft has neutralized a large-scale fraud campaign that used fake domains and malicious apps to defraud customers in 62 countries around the world.
The software maker and cloud service provider received a court order last week that allowed him to seize six domains, five of which contained the word "office". The company said attackers used it in a sophisticated campaign to get CEOs and other high-ranking business leaders to transfer large amounts of money to attackers rather than trustworthy parties. A previous so-called BEC or business email compromise, which the same group of attackers made in December, used phishing attacks to gain unauthorized access. General business topics such as quarterly earnings reports were used in the emails. Microsoft used technical means to shut it down.
The attackers returned with a new BEC that took a different path: instead of getting targets to log in to similar websites and consequently reveal their passwords, the fraud allegedly used emails instructing the recipient to use a Microsoft App to use an Office 365 account. The latest scam used the COVID-19 pandemic as bait.
"This scheme allowed unauthorized access without explicitly asking victims to provide their credentials directly on a fake website or similar interface as would be the case with a more traditional phishing campaign," said Tom Burt, corporate vice president for Customer Security & Trust at Microsoft. wrote. "After the victim clicked through the malicious web app prompt (see image below), the victim unintentionally gave the criminals permission to access and control the victim's Office 365 account content, including email, contacts, Notes and material stored in OneDrive for Business Cloud storage and SharePoint document management and storage system for companies. "
Burt cited a 2019 FBI report that BEC crimes caused losses of more than $ 1.7 billion, almost half of all financial losses caused by cybercrime. BECs were the most expensive complaint to the Internet Crime Center, according to the report. In some of the better-run campaigns, executives receive emails that appear to come from managers, accountants, or other people who work for the company.
Burt only gave the hackers' name or affiliation to say that they were sophisticated and had carried out the December campaign.
Beware of OAuth
It's not the first time that attackers have tricked targets into granting network access to malicious apps. Last year, researchers published at least two more, both of which are designed to provide access to Google accounts. One was carried out by hackers who worked for Egypt, according to a report by Amnesty International. The other targeted the Tibetans' iOS and Android devices.
Both campaigns were based on OAuth, an open standard that allows users to give websites or apps access to network resources without having to give them a password. As Microsoft said, such attacks often fly under the radar of users trained to detect phishing since no password is required to be entered into a fake site. In some cases, OAuth technology can bypass two-factor authentication, which requires users to enter a temporary password in addition to a password or to connect a physical security key to the device being authenticated.
Microsoft & # 39; s Burt has not specifically mentioned the apps used in the newer case that are connected via OAuth. However, in a separate post released on Wednesday, Microsoft warned of "Consent Phishing," in which attackers use the same OAuth method.
One of the pieces of advice that Microsoft's contributions to preventing such attacks include enabling two-factor authentication. It is always a good idea to turn on the device, but it is not clear how effectively the measure alone prevents these attacks. Some networks may not need the second factor for OAuth. And even if networks enforce 2FA for OAuth, targets that are tempted to connect an app can probably also be tempted to provide the second factor.
One way to protect Google and G Suite accounts from OAuth fraud is to enable the advanced protection that strictly enforces the hardware-based 2FA for every new device or app that logs in for the first time. The program also prevents connectivity except for a handful of apps, even if a key is provided, so it may not be suitable for all users. Other 2FA protection functions may do the same.
Another way to avoid fraud is to learn the telltale signs of phishing, e.g. For example, misspelled words, poor grammar, and links to websites that name a company or product but combine them with words that are not commonly used by the app manufacturer or website operator. Wednesday's post offers several ways to detect malicious OAuth apps. These measures are hardly perfect. Because of its effectiveness and low phishing cost, it is one of the methods that attackers use to compromise accounts. The steps are still worth following.