Fake SSO used in phishing multiple email providers

Single sign-on (single sign-on) Allows users to log into a single account (e.g. Google) and access other services like YouTube or Gmail without authenticating with a separate username and password.

This functionality also extends to third-party services such as the popular Dropbox file sharing app, which gives users the ability to access their account using Google authentication from their login page.

Malicious pages mimic popular login workflows

SSO is very convenient for most users. This means they don’t need to manage an ever-growing list of login credentials and can instead use a single login ID to authenticate with various services.

Unfortunately, the increasing availability and adoption of single sign-on on popular websites also appears to have led to an increase in phishing pages.

These malicious pages replicate the login processes of popular services such as Dropbox or Docusign. Instead of connecting to the intended service, users’ SSO credentials are phished and passed on to bad actors.

Login process replicated in phishing campaigns

Phishing pages inform users that they can log into a third-party service (like Dropbox) using their SSO email account with one of the popular providers below.

Dropbox phishing page with list of email providers
Fake Dropbox phishing page giving visitors the option to log into their Dropbox with their email address from a list of providers

The only vendors included on this phishing page that Actually providing any type of SSO service are Google and Microsoft.

Before the popularity of single sign-on, this was not a common phishing tactic – it would be very unusual for someone to type in their email address and password when trying to log in. to a third party service.

Third-party services in the phishing walkthrough

CSS and a few images are missing from the original phishing page, so it doesn’t look like what was originally intended, but we can still see references in the real world. index.php for the phishing page.

references index.php

In the past, phishers typically set up individual phishing pages tailored to replicate each email provider’s login page. For example, phishing pages for Google, Hotmail, or AOL would exist in various subdirectories so that campaigns could replicate the address bar URL of each targeted service.

Conclusion and risk mitigation

This article shows how bad actors are experimenting with new phishing methods to trick humans into victimizing and revealing their personal information.

The best way to mitigate damage if your login credentials are compromised is to use 2FA authentication.

Two-factor authentication makes accessing your account much more difficult for attackers, as they require a secondary authentication method to complete the sign-in process. We suggest avoiding SMS authentication whenever possible, as SMS messages can be intercepted and are not as secure as other multi-factor authentication methods.

Source link

June J. Lopez

Leave a Reply

Your email address will not be published.