Threat actors love phishing because it works. But how they use it – and where they use it – depends on the type of catch they’re after.
“Phishing is a wide-net cast to catch victims. Spear phishing is a very targeted attack aimed at a specific person or persona,” explained Timothy Morris, chief security adviser at Tanium. “Think of a large net versus a spear.”
The point of a phishing attack is to obtain or steal credentials. Typical attacks have been sent through email, but threat actors have expanded their horizons and are now using the cloud to launch their attacks.
How attackers use phishing in the cloud
Anti-malware software company Malwarebytes defines cloud phishing as “a phishing trend that uses the guise of cloud computing services to get users to click malicious links. Campaigns of this kind usually start off in emails and social media posts.”
Threat actors are using cloud applications as an attack vector because that’s where the users are. According to research from Netskope, 82% of organizations with at least 500 users allowed access to a minimum of 250 different cloud applications. That turns into a huge opportunity for attackers to make their way into an organization’s network.
The Netskope research listed the reason why targeting the cloud offers advantages for threat actors. They include:
- A very large attack surface. Many of the phishing attacks involve creating fake cloud applications using OAuth, which is also used by the most popular cloud providers and vendors.
- It’s easy to bypass MFA because the attackers are able to steal OAuth tokens.
- Once in the cloud, threat actors can use it indefinitely.
- Security controls in the cloud are not as mature as other security systems.
Once inside a particular cloud application, threat actors can then use the tools in the app to gain access to data and use different functionalities to launch phishing attacks. For example, breaching into an organization’s Google or Microsoft cloud gives the attacker access to email accounts, contact lists and document creation.
“For the attacker, creating or using tools available to mimic logon pages can lessen the amount of work required, with cloud apps,” said Morris. “For example, phishing for [credentials] to a bank account would be limited to only customers of the targeted bank, whereas, a cloud service, like Gmail would have many more potential targets.”
Phishing and spear phishing in the cloud
What makes phishing and spear phishing a cloud infrastructure different is the type of attack, according to Patrick Harr, CEO at SlashNext.
“The attackers use compromised cloud infrastructure to improve success,” said Harr. “You might see more malicious file attacks and targeted credential stealing focused on gaining more access to the organization.”
Phishing is all about getting credentials to access areas of the network hosting sensitive information. The whole idea behind phishing for cloud credentials or apps is to get a larger payload.
“With a simple phish, an attacker is trying to get credentials to bank accounts, which will yield access to those accounts,” said Morris. “With cloud services, the credentials that can be accessed could have far greater monetary value for ransomware or extortion.”
However, the simple phish in the cloud will still look like a phishing attack because it is going after a generic audience.
“Spear phishing will focus on a high-value target,” said Morris, with “bait” specially crafted and be more believable than a generic phishing attempt. “Spear phishing can also involve reconnaissance to gain intel about their target to make the phishing email/text/call very personalized.”
Spear phishing targets provide more value to a threat actor because the credentials and data are more valuable. The higher the level of the target, the higher the level of assets involved. If an attacker already has access to some cloud applications from a company, it then becomes easier to create phishing that mimics corporate communications. This makes it easier to fool the target.
“Spear phishing uses social engineering tactics like personal information and executive and vendor impersonation to personalize attacks which makes these attacks more successful,” said Harr.
Implementing security training to raise awareness of these types of attacks is important. “Still, training is not a silver bullet because these attacks can be hard to spot,” Harr added, “so it’s also important to have security tools that can detect relationships and conduct contextual analysis to stop these attacks from entering the organization.”
Netskope’s report recommended using cloud and SaaS security management programs to help protect sensitive data in cloud applications from phishing attacks, and to regularly use MFA or single sign-on tools.
Remember, the most important task when it comes to a spear phishing attack is to use zero trust and verify anything before automatically clicking on a link or sharing information.