Phishing Emails Target Coinbase Exchange UsersMessages Use an OAuth-Based Consent App to Gain Office 365 Access
Fraudsters are sending phishing emails with messages about the Coinbase cryptocurrency exchange to Microsoft Office 365 users in an attempt to take over their inboxes and gain access to data, according to the security firm KnowBe4.
See Also: 2022 Unit 42 Incident Response Report
The phishing emails ask recipients to update their terms of service agreement with Coinbase through an OAuth-based consent app, KnowBe4 reports.
OAuth is a protocol that allows third-party applications to access cloud-based accounts such as Office 365. These applications don't see a user's login credentials but instead receive a token that gives them limited access to an account (see: Phishing Defense: Block OAuth Token Attacks).
If phishing message recipients grant an OAuth-based app access to a cloud platform, the app could give fraudsters a way to view contacts, messages and calendar information in Gmail or Office 365. For an OAuth compromise to work, a fraudster only has to get a victim to click once to authorize third-party access. The account access can persist unless it is revoked, which usually happens on the administrative level, according to security experts.
Phishing campaigns leveraging OAuth are on the upswing, says Stu Sjouwerman, CEO of KnowBe4. "We’ve seen consent app-based attacks since the beginning of this year," he says.
Roger Grimes, a data-driven defense evangelist with KnowBe4, says the methods used in the ongoing phishing campaign "take above-average coordination to accomplish. This points to a more experienced team who has already mastered the easier forms of phishing."
Large Target Audience
Coinbase has about 35 million users. "Coinbase users are a pretty sizable target audience. At least that’s what the bad guys are betting on," Sjouwerman says. "And, from what we see in this latest attack, they’re also betting that Coinbase users are using Office 365."
The phishing emails contain a link asking the potential victim to update a terms of service agreement with Coinbase. The link opens to a legitimate-looking Office 365 login page, on which the user is greeted with a request to access Office 365 mailbox and information, citing "coinbaseterms.app" as the requester.
If the victim grants permission, the OAuth-based app starts accessing the compromised Office 365 account, including emails and other personal or organizational data, according to KnowBe4.
Grimes notes that phishing campaigns that use OAuth-based apps take advantage of users not paying attention to the types of permission that they are granting.
"When an OAuth permissions prompt asks a user to confirm a particular permissions request, the default answer is 'OK,'" Grimes tells Information Security Media Group. "This is one of the few places left in the computer world where the default answer or simply hitting 'enter' or clicking on 'OK' can hurt the end user."
In July, Microsoft said it had seen an uptick in fraudsters abusing OAuth-based apps in an approach it called “consent-based phishing.”
In May, the security firm Cofense uncovered a phishing campaign that bypassed multifactor authentication in Office 365 to steal credentials or launch further attacks. The fraudsters leveraged the OAuth 2.0 framework and the OpenID Connect protocol, which help authenticate users of Office 365 (see: Phishing Attack Bypassed Office 365 Multifactor Protections).