Vanity URLs Could Be Spoofed for Social Engineering Attacks

  /     /     /  
Publicated : 23/11/2024   Category : security


Vanity URLs Could Be Spoofed for Social Engineering Attacks


Attackers could abuse the vanity subdomains of popular cloud services such as Box.com, Google, and Zoom to mask attacks in phishing campaigns.



Vanity links created by companies to add their brand to well-known cloud services could become a useful vector for phishing attacks and a way to better fool victims, researchers warn.
Cloud services that dont check whether subdomains have been modified could allow links that appear to be from varonis.box.com or apple.zoom.us — two examples used in an advisory from data-protection firm Varonis on Wednesday. In the case of Box.com, that could lead to a malicious document; in the case of Zoom, that could mean a webinar that collects information and is unrelated to the cited brand. The problems occurs when a cloud service allows a vanity subdomain, but does not validate the subdomain or use the subdomain to provide services.
Varonis notified Box.com and Zoom of the issue — along with Google, whose links to Google Docs could be spoofed — more than six months ago, and the problems are mostly fixed, the company stated. However, the problem likely exists for other services, says Or Emanuel, director of research and security for Varonis.
We think it is more than just those three SaaS services, he says, adding that attackers can also use the predictability of the subdomains to select potential victims. Because of the vanity URLs, it makes it very easy for threat actors to scan all the subdomains of all the big Fortune companies with different cloud providers, he says.
Hiding malicious code and phishing sites behind what appears to be well-known brands is a key way for attackers to fool victims into trusting fraudulent e-mail messages and links to websites. In 2019, for example, three-quarters of companies discovered that
lookalike domains had been established by a third party
using a non-.COM top-level domain. Because of the expansion of top-level domains, phishers and fraudsters have a broader selection of potential domains, while companies have to consider purchasing a broad swath of domains to adequately protect their intellectual property and brand.
Varoniss research examines the problem from the other direction. Rather than looking at the top-level domains, the companys researchers investigated ways of abusing the subdomains that many cloud service providers allow their customers to use.
Not only do vanity URLs feel more professional, but they also provide a sense of security for end-users, Varonis
stated in the advisory
. Most people are likelier to trust a link at varonis.box.com than a generic app.box.com link. However, if someone can spoof that subdomain, then trusting the vanity URL can backfire.
Social Engineering With Zoom
A software-as-a-service (SaaS) application is vulnerable to the attack when a customer is allowed to use their brand as the subdomain, such as varonis.zoom.us, but at the point where the link is sent to a third party — such as participants in a conference call or webinar — the subdomain is no longer checked. In the case of Zooms service, attackers could create a webinar that asks registrants a variety of questions useful for social engineering, rebrand the webinar as a popular company, and then change the resulting URL to the targeted companys brand. The original domain — attacker.zoom.us, for example — could be changed to varonis.zoom.us without any impact on the functionality of the link.
A properly branded page could fool a victim into giving information, especially when the subdomain indicates the host is a well-known company. In the case of Box.com, a link such as
app.box.com/f/abcd1234
could be changed to
varonis.app.box.com/f/abcd1234
to appear to be an official form collecting information, but actually send the information to the attacker.
The more interesting attacks from a data protection standpoint are when you have forms for registration or file-sharing requests, Emanuel says. When the threat actor controls these pages, they can ask for any information they want, and it seems totally legit. Its really hard to determine that its not a page that the company owns.
Such social engineering becomes useful in phishing attacks, as well as for convincing people to click on links or download untrusted files. In 2021, losses from cybercrime including phishing attacks reached nearly $7 billion, according to
the FBIs annual Internet Crime Complaint Center (IC3) report
. Phishing accounted for about 38% of the more than 847,000 crimes reported to the IC3.
Cloud providers should ensure that any customization of the URL is validated by the encoding in the link, Emanuel says. Box.com and Google have both fixed the issues, although the bugs still exist for Google Forms and Google Docs, when using the Publish to the web feature, according to Varonis. Zoom will warn users when the subdomain has been changed. “We have addressed this issue by warning users if they are being redirected to a different subdomain, a company spokesperson said.
In addition, users should always be skeptical of links, especially if the linked page requests too much information or leads to other links or files.
We recommend educating your coworkers about the risk associated with clicking on such links and especially submitting PII and other sensitive information via forms, even if they appear to be hosted by your company’s sanctioned SaaS accounts, Varonis stated in the advisory.

Last News

▸ There are plenty of online tools for reporting bugs. ◂
Discovered: 23/12/2024
Category: security

▸ 27 Million South Koreans Hit by Online Gaming Theft. ◂
Discovered: 23/12/2024
Category: security

▸ Homeland Security Background Checks Breach Raises Concerns. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Vanity URLs Could Be Spoofed for Social Engineering Attacks