Researchers discovered on Wednesday that some apps do not validate the legitimacy of a custom URL’s subdomain, but only validate the Universal Resource Locator (URI). As a result, hackers can use their own SaaS accounts to generate links to malicious content that appears to be hosted by a company’s sanctioned Software-as-a-Service account.
In a blog postVaronis researchers detail how they were able to spoof links from Box, Google and Zoom which show how attackers can use spoofed URLs for phishing campaigns, social engineering attacks, reputation attacks and software distribution malicious.
Phishing campaigns often include typos, all-too-obvious fake links and other red flags that most people can identify fairly easily, said Corey O’Connor, chief product officer at DoControl. O’Connor feared that by simply changing the subdomain, a bad actor could create a link that looks entirely legitimate.
“Careless insiders continue to fall for less than convincing phishing attempts,” O’Connor said. “This vulnerability expands the attack vector in SaaS, and does so very convincingly. This is another example where SaaS security and insider risks need to be prioritized and managed more effectively by CISOs and practitioners respectively.
Barry Ruditsky, senior vice president at SlashNext, said we had this type of use case with our customers leveraging our API to identify cybercriminals using their cloud services to launch malicious URLs.
“This issue has become a significant issue for organizations,” Ruditsky said. “URL spoofing and masking of malicious URLs on trusted cloud services is a tactic increasingly used by cybercriminals. Many security protection services do not have the technology to identify these malicious URLs. In fact, right now we’re tracking over 60,000 zero-hour active malicious URLs that exploit legitimate domains and SaaS environments, including Box.com, Zoom, Google Docs, and SharePoint services.