Presentation Material

Abstract

Cloud services are built for increased collaboration and productivity, and provide capabilities like auto sync and API level communication. This has led enterprises to exclusively use SaaS, PaaS and IaaS services for storing and sharing critical and confidential data. End users as well as security products tend to place implicit trust in cloud vendors such as Microsoft, AWS, Google, and SaaS app vendors such as Box, Salesforce, DropBox. As a result, cybercriminals have started launching their attacks from these trusted cloud services. This talk will focus on how attackers are abusing these trusted cloud services to create Phishing attacks that are highly effective and hard to detect. We will begin the presentation by sharing some statistics that illustrate the wide-scale adoption of cloud services by cybercriminals. In particular, we focus in on the usage of cloud services as a launching point of an attack. In the next section, we will discuss some of the novel, offensive phishing techniques that the attackers have employed, including: abusing SaaS APIs, abusing trusted API redirects, and hosting attack pages in cloud services. We will deep dive into three specific techniques we discovered in the wild: Targeted BEC (Business email compromise) - phishing attacks abusing popular services like S3, GCS, Azure Storage, and GCP Google’s App engine. The S3, GCS, and Azure Storage based attacks used static web hosting to serve up convincing baits, complete with Amazon, Google, or Microsoft issued SSL certs. We will provide a few examples of some successful attacks of this type. The App Engine attack used an open redirect to make it appear that the bait was being delivered from Google. We provide a detailed breakdown of how this was done and what made this attack successful. At the time of writing this draft, Google shows its standard redirection notice when users click on one of these AppEngine links, making it more obvious to the user that they are being redirected. “Default Allow” action in popular PDF readers and Annotations used in themed decoy templates. This action only warns the user that it is trying to connect to a trusted cloud service, which looks benign at face value. By taking advantage of the “default allow” action in popular PDF readers, the attacker can easily deploy multiple attacks without getting the security warning after the first alert. In this section, we provide examples of multiple attacks leveraging this techniques, including the preceding BEC. PhaaS(Phishing-as-a-Service): Criminals hosting a full-fledged phishing infrastructure over cloud and selling it as a B-to-C model. These on-demand service based models provides an essence of a criminal version of software-as-a-service which allows purchasing site login accounts along with crafting and hosting phished links. In this section, we provide an overview of one of these services and describe how it is using public cloud services to drive its success. The idea is to educate our audience about the new wave of sophisticated attacks abusing highly trusted services like Google and its App engine APIs, object stores in AWS/Azure/GCP and other Tier-1 SaaS applications. The attackers not only craft a “near original” phishing bait but also make it hard for security products to detect such attacks. We will then discuss some inherent design constraints and weaknesses in these services which are benefiting the cybercriminals in creating attacks to bypass modern day security solutions. Most end users are savvy enough now to understand that links that include random IP addresses or suspicious sounding domain names should not be clicked on, but they don’t have a similar awareness of risk associated with cloud services. Users tend to click on an email invite from a cloud application or a phishing document hosted in a cloud environment as it is convincing and difficult to recognize as phishing. We will then understand the motivation behind this new trend, its monetary impact in the cybercrime market and its simplicity, which is appealing more and more novice cybercriminals into building their attack surfaces by abusing such services. We will conclude the talk by sharing details about our responsible disclosure to tier 1 vendors and proposing detection and remediation techniques for such type of attacks