Varonis Threat Labs have discovered vulnerabilities in Zoom, Box and Google Docs that allow cybercriminals to forge the vanity URL. As a result, phishing links appear trustworthy even for trained employees, which can increase the success of attacks.
When users click on the link of their supposed employer, customer or partner, they are directed to a seemingly authentic phishing page where they are supposed to reveal sensitive data such as passwords and personal information. Depending on the type of social engineering, this information appears to the user to be entirely plausible. For example, a vanity URL could be used to invite people to a current internal webinar due to an alleged cyber attack, before which the password had to be changed. While Box has closed this vulnerability, such manipulations are still possible with Zoom and Google.
This is hidden behind Vanity-URL
Many SaaS applications contain what is known as a vanity URL, i.e. customizable web addresses for websites, forms and links for file sharing. A vanity URL can be used to create a personalized link, such as varonis.example.com/s/1234 instead of app.example.com/s/1234. However, Varonis Threat Labs discovered that some applications do not validate the legitimacy of the vanity URL subdomain, for example yourcompany.example.com, only the URI (like /s/1234).
As a result, attackers can use their own SaaS accounts to generate links to malicious content such as files, folders, landing pages, or forms that appear to be hosted by their own company’s SaaS account. To achieve this, only the subdomain in the link has to be changed. Accordingly, these fake URLs can be used for phishing campaigns, social engineering attacks, reputation attacks and malware distribution.
Zoom offers hosting for companies
Zoom allows businesses to use a vanity URL like “yourcompany.zoom.us” to host webinar registration pages, employee login pages, meetings, recordings, and more. Logos can be uploaded and the color scheme can be adjusted. This allows attackers to replace their own URLs with a seemingly legitimate domain and make the landing pages look real. However, as a general rule (although not always), the redirect will result in a pop-up warning informing the user that they are about to access external content that does not belong to their own domain. Nevertheless, these tips are often ignored, especially by less trained employees, so that this way can definitely be an effective attack technique.
For some Zoom webinars, Varonis experts were able to change the registration URL to include any company’s subdomain without triggering an alert. In this way, malicious webinar registration forms can be used to intercept employees’ or customers’ personal information or passwords. As such, Varonis Threat Labs urges caution with Zoom links, particularly those containing “.zoom.us/rec/play/”. And no sensitive personal information should be entered into meeting registration forms, even if the form appears to be hosted on an official subdomain with the correct logo and branding. Zoom is currently working on a solution to these problems.
Vanity URL: Google Docs and Google Forms
Web applications that do not have a dedicated vanity URL feature can also be exploited in a similar way. For example, Google forms in which confidential data is requested can be provided with the logo of the respective company. And distributed to customers or employees as “yourcompany.docs.google.com/forms/d/e/:form_id/viewform” to appear legitimate. Likewise, any Google Doc shared through the Publish to Web option can be spoofed. Google is currently working to fix this problem.
A SaaS-based vanity URL is a useful feature that allows customization for users. If implemented securely, can help protect users from phishing attempts. However, as Varonis Threat Labs has shown, these URLs can be spoofed. They should therefore be treated with suspicion like any other URL. Employees must be made aware of the risk involved in clicking on such links, and in particular in submitting personal information and other sensitive information through forms. Even if they appear to be hosted by your company’s approved SaaS accounts.
Monitor SaaS applications for suspicious activity
“Companies train their employees to be vigilant and careful when opening emails. But URL spoofing can effectively counteract this,” explains Michael Scheffler, Country Manager DACH at Varonis. “Vanity URL spoofing is a perfect way for attackers to steal personal information such as passwords and sensitive data, or trick users into downloading malicious files. Therefore, security leaders need to be vigilant and pay particular attention to suspicious activity in their SaaS applications.”
Since 2005, Varonis has taken a different approach than most IT security vendors by placing enterprise data, stored both on-premises and in the cloud, at the heart of its security strategy. Varonis Data Security Platform (DSP) detects insider threats and cyberattacks by analyzing data, account activity, telemetry, and user behavior. It can also prevent or mitigate data breaches by locking down sensitive, regulated, and outdated data. DSP maintains a safe state of the systems through efficient automation. (sg)
Also read: Vulnerability in Salesforce: Varonis improves protection of SaaS data
#Vanity #URL #Spoofing #Enables #Social #Engineering #Attacks