Box, Zoom, Google Docs offer phishing boost with ‘custom URL’ flaws

Attack technique bypasses email filters and boosts credibility of phishing links

The failure to validate subdomains in so-called “vanity URLs” by Box, Zoom and Google Docs has created a powerful way to enhance their phishing campaigns, security researchers have revealed.

Vanity URLs can be customized to include a brand name and a description of the purpose of the link (eg brand name/registernow) and usually redirect to a longer generic URL.

Widely used by software as a service (SaaS) applications, vanity URLs are used to share or request files, invite users to register for events, and more.

False sense of security

Vulnerabilities discovered in Box, Zoom, and Google Docs allow attackers to abuse the apparent assurance vanity URLs offer recipients that they are dealing with a legitimate organization rather than cybercriminals.

Varonis Threat Labs researchers found that SaaS applications validated vanity URLs’ URI (the unique sequence of characters at the end of the link), but not its descriptive subdomain (the part preceding the URI).

Learn about the latest news and phishing attacks

“As a result, hackers can use their own SaaS accounts to generate links to malicious content (files, folders, landing pages, forms, etc.) that appear to be hosted by your company’s sanctioned SaaS account,” reads- we in a press release. blog post published by Varonis Threat Labs.

“To achieve this, just change the subdomain in the link.”

Success rate

This attack technique, as demonstrated in this videowould act to massively increase the success rate of phishing or malware distribution campaigns, according to Rob Sobers, CMO of Varonis.

“It can make a huge difference because spoofed links look legitimate to security technologies like email filters and CASBs (Cloud Access Security Broker),” Sobers said. The daily sip.

“They would normally block a spoofed or misspelled URL (like apple-support.zoom.us). In this case, since we are spoofing the REAL URL, there is no way for these types of technologies to filter or report automatically the URL as malicious.

Sobers continued, “Additionally, knowledgeable users can usually detect subtle differences when loading a fake URL in their browser, such as an invalid security certificate or misspelled subdomain. With this abuse, the URL and the certificate are completely valid. »

Given that three of the most widely used SaaS applications contain the same flaw, “it is very likely that similar issues exist in other SaaS applications,” Sobers warned.

Warning signs

Box, the popular cloud content management application, has fixed flaws affecting vanity URLs for file sharing and public forms used to request files and related information.

The file sharing problem was exacerbated by an attacker’s ability to add password protection to malicious files and upload a targeted brand’s logo and recreate its color scheme, while the absence branding on public forms makes it harder for victims to spot telltale design flaws. .

A Zoom spokesperson said The daily sip that it had addressed the potential abuse of vanity URLs for meeting recordings and webinar registration pages “by warning users if they are redirected to a different subdomain”.

However, Varonis urged users to be “careful when accessing branded Zoom links” given that “users often click on non-critical warning messages.”

Attackers could also mark a Google form requesting sensitive confidential data with the targeted company’s logo like yourcompanydomain.docs.google.com/forms/d/e/:form_id/viewform.

“The form may require registration with an email from your company’s domain, which makes it more reliable,” Varonis said.

Google Doc documents exchanged via the “publish to web” feature are also vulnerable.

Google hasn’t rolled out a fix yet, according to Varonis.

YOU MIGHT ALSO LIKE RuTube hack: Russian video platform denies loss of source code in cyberattack

Comments are closed.