Barracuda's latest threat spotlight discusses the trends and tactics of form-based attacks; a new type of brand impersonation attack that is disproportionately using Google-branded websites to manipulate users into sharing login credentials.
In this type of brand impersonation attack, scammers leverage trusted file-sharing services or similar productivity sites such as docs.google.com to trick users into clicking through suspicious links and eventually entering their confidential login details. Within this general format there are a few differing tactics, with some even making use of the legitimate sites they are impersonating.
Sites Used in Form-Based Attacks
Of the nearly 100,000 form-based attacks Barracuda detected between January 2020 and the end of April, Google file sharing and storage websites were used in 65% of attacks. This includes storage.googleapis.com (25%), docs.google.com (23%), storage.cloud.google.com (13%), and drive.google.com (4).
In comparison, Microsoft brands were targeted in 13% of attacks: onedrive.live.com (6%), sway.office.com (4%), and forms.office.com (3%). The other sites used in impersonation attacks include sendgrid.net (10%), mailchimp.com (4%), and formcrafts.com (2%). All other sites made up 6 percent of form-based attacks.
The three most common tactics
1. Using legitimate sites as intermediaries
With this tactic, cybercriminals impersonate emails that appear to be automatically generated by file sharing sites like OneDrive, directing their targets to a phishing site by first sending them to a legitimate site.
This is achieved by sending a phishing email with a link that leads to to a file stored on the legitimate site - however, once opened, this file includes a secondary link that sends the user to the credential-stealing phishing site.
2. Creating online forms for phishing
In this second approach, attackers create online forms through services like forms.office.com that resemble the login page of legitimate sites. The link to this form is then used in phishing emails to harvest credentials.
Due to these emails only including the initial legitimate website link these attacks are incredibly hard to detect on that basis alone, however they can sometimes be identified by the use of unusual domains.
3. Getting access to accounts without passwords
In this final attack variant, hackers can gain access to the victims’ accounts without actually stealing their credentials. The original phishing email contains a link to what looks like a typical login page - even the domain name in the browser window appears to match - however, the link actually contains a request for an access token for an app.
After login credentials are entered, the victim is presented with a list of app permissions to accept. By accepting these permissions, the victim is not giving up passwords to attackers, but rather grants the attacker’s app an access token to use the same login credentials to access the account.
Attacks like these are likely to go unnoticed by users for a long time. After all, they used their credentials on a legitimate website. Even two-factor authentication will do nothing to keep attackers out because their malicious app was approved by the user to access accounts.
Defending Against Advanced Phishing Attacks
Barracuda Total Email Protection ensures your organisation is secured against email-borne threats.
The Barracuda email security solutions bundled into Total Email Protection create the most effective solution to prevent targeted social engineering attacks. Its multi-layered approach combines a secure email gateway, AI-powered fraud protection, and advanced security awareness training. This results in comprehensive protection against business email compromise, account takeover, and other advanced email threats.
Find out more about Total Email Protection in our latest report - 2020 Email Protection Trends.