Fake SSO used in phishing multiple email providers
Single sign-on (single sign-on) Allows users to log into a single account (e.g. Google) and access other services like YouTube or Gmail without authenticating with a separate username and password.
This functionality also extends to third-party services such as the popular Dropbox file sharing app, which gives users the ability to access their account using Google authentication from their login page.
Malicious pages mimic popular login workflows
SSO is very convenient for most users. This means they don’t need to manage an ever-growing list of login credentials and can instead use a single login ID to authenticate with various services.
Unfortunately, the increasing availability and adoption of single sign-on on popular websites also appears to have led to an increase in phishing pages.
These malicious pages replicate the login processes of popular services such as Dropbox or Docusign. Instead of connecting to the intended service, users’ SSO credentials are phished and passed on to bad actors.
Login process replicated in phishing campaigns
Phishing pages inform users that they can log into a third-party service (like Dropbox) using their SSO email account with one of the popular providers below.
The only vendors included on this phishing page that Actually providing any type of SSO service are Google and Microsoft.
Before the popularity of single sign-on, this was not a common phishing tactic – it would be very unusual for someone to type in their email address and password when trying to log in. to a third party service.
CSS and a few images are missing from the original phishing page, so it doesn’t look like what was originally intended, but we can still see references in the real world. index.php for the phishing page.
In the past, phishers typically set up individual phishing pages tailored to replicate each email provider’s login page. For example, phishing pages for Google, Hotmail, or AOL would exist in various subdirectories so that campaigns could replicate the address bar URL of each targeted service.
Conclusion and risk mitigation
This article shows how bad actors are experimenting with new phishing methods to trick humans into victimizing and revealing their personal information.
The best way to mitigate damage if your login credentials are compromised is to use 2FA authentication.
Two-factor authentication makes accessing your account much more difficult for attackers, as they require a secondary authentication method to complete the sign-in process. We suggest avoiding SMS authentication whenever possible, as SMS messages can be intercepted and are not as secure as other multi-factor authentication methods.