Login pages, especially trusted ones, should always be secure. But what happens when that trusted login page becomes the start of a scam?
A new wave of sophisticated phishing attacks has started exploiting a feature millions of us use every day: signing into websites. One of the most popular protocols for authenticating login details is OAuth 2.0. This protocol ensures that users can be authenticated without having to hand their passwords over to third-party providers. Instead, for example, the site may request permission from the provider of this identity – such as Microsoft Entra ID or Google Workspace – to securely confirm the user’s identity.
The main attraction of OAuth is that it’s both convenient and secure. As a protocol, it’s straightforward and minimizes the risk of exposing credentials to unauthorized sites. However, its popularity has made it an attractive target for hackers. And by manipulating OAuth, they’ve managed to trigger failures in the authentication process, making the technique highly dangerous and efficient.
Using Trust to Trap Victims
As with so many modern attacks, this scam is kickstarted by a convincing phishing email. These emails use a wide range of topics to deceive recipients into taking actions, e.g. urgent claims about Microsoft Teams meeting recordings, Social Security alerts, and password reset notifications. All of these lures are designed to encourage a quick response.
Each email contains a link that points to a genuine OAuth authorization location (e.g., login.microsoftonline.com or accounts.google.com). To the untrained eye, it appears to be a standard Microsoft or Google sign-in page. And indeed it is, but it’s one which has been tinkered with. The URL contains additional parameters which force an error through OAuth’s error management system.
Attackers first create a fake app inside their own Microsoft account environment. They then set it up so that, if an error is detected during the login process, the system redirects the user to a website the attackers control. From here, they create a special login request that’s designed to fail. When the login request fails, the system behaves exactly as it should and sends the user to the attackers’ website.
The victim is stealthily redirected to a website controlled by the attackers, often without noticing anything unusual. At this stage, no passwords are stolen and no systems are compromised. Instead, the hackers are simply abusing the login process. Nonetheless, once users have been redirected to the fake page, they are likely to see a false login screen or be prompted to download a file. Interacting with either option can install malware and give attackers full access to the PC.
How to Stay Safe from Login Scams
Despite the innovation of this login scam, it’s relatively easy for users and organizations to defend against it with these best practices:
- Always be suspicious of any emails which push users to act urgently and perform an action, e.g. clicking links or downloading files. Double check any such emails with an IT professional.
- Never ignore anything unusual during a login process such as being redirected to a different website or automatically downloading any files. Genuine OAuth processes will very rarely take these actions.
- Multi-factor authentication is one of the simplest ways to protect your accounts and systems. By placing another layer of security in front of your accounts and systems, you’re creating a complex barrier for hackers to penetrate.
For more ways to secure and optimize your business technology, contact your local IT professionals.
