Attackers could abuse the vanity subdomains of popular cloud services such as Box.com, Google, and Zoom to mask attacks in phishing campaigns.
Vanity links created by companies to add their brand to well-known cloud services could become a useful vector for phishing attacks and a way to better fool victims, researchers warn.
Cloud services that don’t check whether subdomains have been modified could allow links that appear to be from “varonis.box.com” or “apple.zoom.us” — two examples used in an advisory from data-protection firm Varonis on Wednesday. In the case of Box.com, that could lead to a malicious document; in the case of Zoom, that could mean a webinar that collects information that is unrelated to the cited brand. The problems occur when a cloud service allows a vanity subdomain but does not validate the subdomain or use the subdomain to provide services.
Varonis notified Box.com and Zoom of the issue — along with Google, whose links to Google Docs could be spoofed — more than six months ago, and the problems are mostly fixed, the company stated. However, the problem likely exists for other services, says Or Emanuel, director of research and security for Varonis.
“We think it is more than just those three SaaS services,” he says, adding that attackers can also use the predictability of the subdomains to select potential victims. “Because of the vanity URLs, it makes it very easy for threat actors to scan all the subdomains of all the big Fortune companies with different cloud providers,” he says.
Hiding malicious code and phishing sites behind what appears to be well-known brands is a key way for attackers to fool victims into trusting fraudulent e-mail messages and links to websites. In 2019, for example, three-quarters of companies discovered that the lookalike domain had been established by a third party using a non-.COM top-level domain. Because of the expansion of top-level domains, phishers and fraudsters have a broader selection of potential domains, while companies have to consider purchasing a broad swath of domains to adequately protect their intellectual property and brand.
Varonis’s research examines the problem from the other direction. Rather than looking at the top-level domains, the company’s researchers investigated ways of abusing the subdomains that many cloud service providers allow their customers to use.
“Not only do vanity URLs feel more professional, but they also provide a sense of security for end-users,” Varonis stated in the advisory. “Most people are likelier to trust a link at varonis.box.com than a generic app.box.com link. However, if someone can spoof that subdomain, then trusting the vanity URL can backfire.”
Social Engineering With Zoom
A software-as-a-service (SaaS) application is vulnerable to the attacks when a customer is allowed to use their brand as the subdomain, such as varonis.zoom.us, but at the point where the link is sent to a third party — such as participants in a conference call or webinar — the subdomain is no longer checked. In the case of Zoom’s service, attackers could create a webinar that asks registrants a variety of questions useful for social engineering, rebrand the webinar as a popular company, and then change the resulting URL to the targeted company’s brand. The original domain — attacker.zoom.us, for example — could be changed to varonis.zoom.us without any impact on the functionality of the link.
A properly branded page could fool a victim into giving information, especially when the subdomain indicates the host is a well-known company. In the case of Box.com, a link such as app.box.com/f/abcd1234 could be changed to varonis.app.box.com/f/abcd1234 to appear to be an official form collecting information, but actually, send the information to the attacker.
“The more interesting attacks from a data protection standpoint are when you have forms for registration or file-sharing requests,” Emanuel says. “When the threat actor controls these pages, they can ask for any information they want, and it seems totally legit. It’s really hard to determine that it’s not a page that the company owns.” Read more: https://bit.ly/3wklfBL
You can also read this: Cyber-attacks cause a national emergency in Costa Rica