Attack technique bypasses email filters and burnishes credibility of phishing links
A failure to validate subdomains within so-called ‘vanity URLs’ by Box, Zoom, and Google Docs created a powerful way to enhance their phishing campaigns, security researchers have revealed.
Vanity URLs can be customized to include a brand name and a description of the link’s purpose (for example, brandname/registernow) and typically redirect to a longer, generic URL.
Widely used by software-as-a-service (SaaS) applications, vanity URLs are used to share or request files, invite users to register for events, and so on.
False sense of security
The vulnerabilities discovered in Box, Zoom, and Google Docs enable attackers to abuse the apparent reassurance vanity URLs offer recipients that they are dealing with a legitimate organization rather than cybercriminals.
Researchers from Varonis Threat Labs found that the SaaS applications validated vanity URLs’ URI (the unique sequence of characters at the end of the link), but not its descriptive subdomain (the portion preceding the URI).
“As a result, threat actors can use their own SaaS accounts to generate links to malicious content (files, folders, landing pages, forms, etc.) that appears to be hosted by your company’s sanctioned SaaS account,” reads a blog post published by Varonis Threat Labs.
“Achieving this is as easy as changing the subdomain in the link.”
“It can make a massive difference because spoofed links appear legitimate to security technologies like email filters and CASBs (Cloud Access Security Broker],” Sobers told The Daily Swig.
“They would normally block a faked or misspelled URL (like apple-support.zoom.us). In this case, since we’re spoofing the REAL URL, there’s no way for these types of technologies to automatically filter or flag the URL as malicious.”
Sobers continued: “Also, savvy users can typically pick up on subtle differences when loading a fake URL in their browser – things like an invalid security certificate or misspelled subdomain. With this abuse, the URL and certificate are completely valid.”
Since three of the most widely used SaaS apps containing the same flaw, “it’s very likely that similar issues exist in other SaaS apps”, warned Sobers.
Box, the popular cloud content management app, patched flaws affecting vanity URLs for file-sharing and public forms used to request files and associated information.
The file-sharing issue was exacerbated by an attacker’s ability to add password protection to malicious files and upload a targeted brand’s logo and recreate its color scheme, while the absence of branding on public forms makes it harder for victims to spot tell-tale design flaws.
A spokesperson from Zoom told The Daily Swig that it had addressed the potential abuse of vanity URLs for meeting recordings and webinar registration pages “by warning users if they are being redirected to a different subdomain”.However, Varonis urged users to be “cautious when accessing branded Zoom links” given that “users often click through non-critical warning messages”.
Attackers could also brand a Google Form requesting sensitive confidential data with targeted company’s logo as yourcompanydomain.docs.google.com/forms/d/e/:form_id/viewform.
“The form could require registering with an email from your company domain, making it seem more trustworthy,” said Varonis.
Google Doc documents exchanged via the ‘publish to web’ feature are similarly vulnerable.
Google is yet to roll out a fix, according to Varonis.