Consent phishing, what it is, and how to defend yourself. The “consensus phishing” is the latest hacker gimmick: the user himself opens the doors to cybercriminals by permitting them to take possession of all their data. The intelligent working and hybrid work, partly online and partly in the office, open new opportunities to do business
Consent phishing, what it is, and how to defend yourself. The “consensus phishing” is the latest hacker gimmick: the user himself opens the doors to cybercriminals by permitting them to take possession of all their data. The intelligent working and hybrid work, partly online and partly in the office, open new opportunities to do business while maintaining a high quality of life for employees, but without limiting their productivity.
But they also open the door to new cyber risks, previously unknown, such as ” consent phishing, “i.e., the phishing of consent. Consent phishing is based on the consent given by the user to hackers, who can access all data, often that of the entire company. This is a growing phenomenon, as evidenced by the specific alarm launched by Microsoft in July 2021.
What Is Consent Phishing?
Consent phishing is a type of cyber attack in which the user, in addition to being a victim, is also the protagonist. Technically it is based on unique cloud apps, i.e., applications that run on remote servers. There are more and more of these apps, and they are increasingly used. For example, online productivity applications, such as Google Workspace or Microsoft 365, are nothing more than packages containing numerous complex apps that run in the cloud.
In the case of Microsoft 365, companies can create internal apps to perform specific tasks and allow workers to use them by accessing them through their company email account.
Apart from the necessary browser to connect to the Internet, no application is needed on the user’s computer to use these services. For this reason, since these are online applications, during access, the apps in the cloud ask the user for consent to access the files on his online space, on the computer from which he connects, or to some devices connected to it.
If we want to keep a copy of a file on the computer, with continuous synchronization with its online fraud, we must allow the online app to access the files on our local disk so that the app can keep the file synchronized. If we want to use an online video conferencing service without downloading the app on the computer, we must grant it access to the webcam and microphone. And so on. All regular and all secure, but only as long as the apps to which we grant permissions are in turn safe and respectful of our privacy. Otherwise, you risk big.
Consent Phishing, How To Recognize It
Consent phishing is, ultimately and in any case, a phishing attack. And as such, it follows the now-classic phishing patterns: everything starts, almost always, from an email. In the message, usually, a colleague invites us to access our cloud space to download or view a file. We receive more and more messages every day: they are now part of our daily work. In the case of consent phishing, a technique called ” brand impersonification ” is often used, which consists in sending an email that appears to come from our company. The email contains the link to a known online platform, such as Microsoft Online or Google, which leads to a screen through which the user authorizes the malicious cloud app to access their data.
Unlike classic phishing, therefore, consent phishing does not go through a fake web page: the dangerous app uses, in fact, legitimate online platforms that are considered safe by users who, consequently, trust it. This is because even if they are pretty savvy and check the URL the link points to, they find addresses starting with ” https://login.microsoftonline.com ” or ” https://accounts.google.com. ” Recognizing consent phishing, therefore, is much more complex than classic phishing.
Consent Phishing, How To Defend Yourself
Already this swift and summary description of consent phishing allows everyone to understand that, to counter the phenomenon, it is not only the users who have to make efforts to pay attention but also the companies that use online platforms (and the platforms themselves) to having to do it to recognize and block cloud apps used by attackers as soon as possible.
Attackers typically configure apps to appear trustworthy by registering them using names like ” Enable Calc”, “ SettingsEnabler” or” Settings 4 Enabler “, which look like legitimate business productivity apps or extensions. The hackers then distribute the OAuth 2.0 URLs via conventional email-based phishing attacks. OAuth 2.0 is the most popular multi-factor authorization protocol on the web and is used by Microsoft and Google.
For this reason, even those who manage the online platforms must make more significant efforts to combat consent phishing. Suppose the user is asked to pay more attention to the emails they receive and the permissions they grant. In that case, system administrators are asked as much attention to identifying suspicious apps.