Russian hackers use OAuth, fake Google apps to phish users - castanedaevely1942

The Russian hacking group blamed for targeting U.S. and European elections has been breaking into email accounts, not only by tricking victims into surrender passwords, but by stealing access tokens too.

It's sneaky machine politician that's particularly perturbing, because information technology arse outsmart Google's 2-gradation verification, according to security measures firm Trend Micro.

The aggroup, known as Garnished Bear or Instrument Ramp, has been execution the attack with its favored tactic of sending out phishing emails, Course Micro said in a report Tuesday.

The attack plant by sending out a juke email, pretending to be from Google, with the title "Your account is in danger."

Trend Micro

An example of a phishing email that Crenellate Bear has victimised.

The e-mail claims that Google detected several forced planetary hous-in attempts into their account. It then suggests users set u a security application called "Google Defender."

However, the application is actually a ruse. In reality, the hacking group is trying to dupe users into openhanded up a particular memory access token for their Google history, Drift Little same.

Victims that fall for the dodging testament make up redirected to an genuine Google page, which can authorize the hacking group's app to view and manage their email. Users that click "allow" bequeath be handing over what's known as an OAuth token.

Although the OAuth protocol doesn't transfer over whatever password information, it's fashioned to grant third-political party applications memory access to internet accounts through the use of special tokens.

The OAuth protocol may have been designed for contraption, but security experts have warned IT can be used for malicious outcome. In the case of Fancy Bear, the hacking group has leveraged the protocol to build fake applications that can sap victims into passage history access, Trend Micro said.

"After abusing the screening process for OAuth approvals, (the group's) varlet application operates like every other app accepted by the overhaul supplier," the security strong said.

Even Google's 2-footstep substantiation, which is designed to prevent unwarranted chronicle access, can't stop the cut, according to Trend Micro.

Google's 2-step verification works by requiring not exclusive a parole, but also a special code sent to a exploiter's smartphone when logging in. Protection experts say it's an effective way to protect your history.

However, the phishing dodging from Fancy Bear manages to dodge this protection mensuration, by tricking users into granting access through the fake Google security app.

"The aim power be familiar with generic phishing emails, but not such with OAuth abuse tricks," Trend Micro said in its theme. "Chances are significant that even good-educated targets get fooled."

Google, however, aforesaid IT takes many stairs to protect users from such phishing attacks.

"In addition, Google detects and reviews potential OAuth abuse and takes down thousands of apps for violating our User Data Insurance, such as impersonating a Google app," the company said in a statement.

"Observe that a real Google app should be now accessed from a Google site OR installed from the Google Play or Apple App stores," it added.

Accordant to Trend Little, victims were targeted with this phishing attack in 2022, and 2022. To boot to Google Defender, Fancy Bear has used other apps under names such as Google Email Trade protection and Google Electronic scanner. They've also done for aft Yokel users with apps called Delivery Service and McAfee Email aegis.

Trend Micro

The attack attempts to trick users into handing concluded access to their email direct imposter Google third-company applications.

"Cyberspace users are urged to never accept OAuth token requests from an unknown party OR a service they did not invite," Trend Small said.

Although a password reset can sometimes revoke an OAuth token, it's record-breaking to watch what third-party applications are connected to your netmail account. This can be done by look at an email score's security settings, and revoking access where necessary.

Fancy Bear is just about notorious for its suspected role in hacking the Democratic General Commission last twelvemonth. However, the mathematical group has also been found targeting everything from government ministries, media organizations, along with universities and think tanks, according to Trend Micro.

Source: https://www.pcworld.com/article/406557/russian-hackers-use-oauth-fake-google-apps-to-phish-users.html

Posted by: castanedaevely1942.blogspot.com

Share this post