I am aware that most of my recent newsletters dealt with the issue of account security and phishing, but I have one more story on this to share with you. I suppose this is indicative of the sad nature of the digital (in)security we face today. I promise, in the newsletters to come I will cover other topics as well.
Yesterday, we published a short blog post warning of an ongoing campaign of phishing attacks targeting human rights defenders and NGOs from Egypt.
To quote directly from the report:
“Since January 2019 several human rights defenders and civil society organizations from Egypt started forwarding dozens of suspicious emails to Amnesty International. Through the course of our investigation we discovered that these emails were attempts to access the email accounts of their targets through a particularly insidious form of phishing known as OAuth Phishing (which we explain in detail below). We estimate the total number of targeted individuals to be in the order of several hundreds.”
“These coincided with a number of important events that took place in the country. In the run-up to the eighth anniversary of Egypt’s 25 January uprising, which ended with the removal of former president Hosni Mubarak, after 30 years in power, we recorded 11 phishing attacks against NGOs and media collectives. We saw another burst of attacks during French President Emmanuel Macron’s visit to Cairo to meet with President Abdelfatah al-Sisi on 28 and 29 January. The attacks peaked on 29 January, the day that President Macron met with human rights defenders from four prominent Egyptian NGOs. Later, in the first week of February, several media organizations were targeted as part of this campaign of digital attacks; they were reporting on the process of amending the Egyptian Constitution that the parliament had just officially started.”
OAuth Phishing is an insidious phishing technique that is not very common, and consequently not as widely known to individuals at risk as the more traditional forms of phishing. Additionally, security education material rarely includes mentions of OAuth Phishing.
Essentially, OAuth Phishing relies on a feature that is commonly available with many email providers (such as Google, Yahoo, Hotmail and Outlook) that allows people to grant third-party applications access to their accounts. Legitimate third-party applications could be designed to, for example, extract invitations or flight and hotel bookings from the email inbox and add them to an external calendar application.
Attackers can abuse this feature and create malicious third-party applications that are masqueraded as legitimate while in reality their purpose is to steal the emails from the victim.
In the blog post we provide additional details and visuals explaining how this attack works and how to mitigate against it. Unfortunately, because this form of phishing does not rely on creating and distributing a fake login prompt for a legitimate service, but abuses the service directly, the only prevention is to be alert and suspicious of third-party applications.
As we highlight in the blog post, the targets of this latest campaign in Egypt significantly overlap with the targets of a similar phishing campaign discovered two years ago. At the time, the attackers set up the typical Google login clones and lured targets into giving away their credentials. Since then, human rights defenders and NGOs have equipped themselves with two-factor authentication solutions that mitigated that form of phishing. Now, the attackers have clearly adapted and the use of OAuth Phishing seems like a direct response to the better security practices that have been adopted by their targets.
Attackers are agile in their tactics, we need to be as agile in our defenses.