Skip to main content

Phishing - Introduction


Many of us receive phishing emails from bank saying “Dear Client, we have to login to your account to verify your credentials. When you actually login by using your details, it says “unable to login” or some error message, in background what happens is your credentials has been stolen and this is what email phishing.

What is OAuth (Open Authorization)?

Hackers are exploiting a cloud protocol called OAuth. It’s not specific to google attack. OAuth or open standard for authorization is a standardized way for internet accounts to link with 3rd party applications. It is universally adopted by almost all web-based applications and platforms – including consumer as well as enterprise applications such as google Apps, Microsoft office, sales force and many others.


OAuth powers the cloud, enabling the API economy, enhancing user experience.  At the same time in the wrong hands OAuth can be a weapon and it’s a night mare for IT security teams.
Example, Attacker sets up infrastructure and fake app and sends a phishing email, victim opens email and clicks the link. Victim is sent to googles OAuth page for authentication and to grant permissions. Then the user will be redirected to an attacker-controlled website and prompted to allow/deny access. On the backend, if user allowed, google provisions an OAuth token, appends it to redirected url and instructs victims browser to redirect to attacker’s domain. Now attacker gains access to OAuth token once the user is redirected to one of the attacker-controlled domains. Attacker uses the granted privileges (such as email, contacts etc.). Uses this information to access to send emails from victims account and propagate the worm.


OAuth based attacks bypass all standard security layers. Changing passwords wont address this issue, enabling multi-factor authentication will not mitigate the risk. 

 Thank you for reading this article. 

Comments

Post a Comment

Popular posts from this blog

Introduction to latest technologies such as IoT, IoE, IIoT,WoT

Hi Everyone, Now-a-days, we are hearing terms such as IoT, IoE, IIoT, WoT. In this article i am trying to explain what exactly these terms means.  Let me start with fancy word called IoT (Internet Of Things). Its a world of things (such as vehicles, home appliances, any physical device) connected.  These devices embedded with firmware, software, electronics, sensors, actuators and connectivity which makes any physical device intelligent, so that they can talk with each other. Do you want to know why? I will be explaining more details in my next article. IIoT is Industrial IoT, i.e using IoT in manufacturing industries. This brings brilliant machines together, advanced analytics and many more. It has great potential to change the way how the Industry works and it enables M2M machine-to-machine communication. Next article i will tell some real time applications of this. IoE is Internet of Everything where people, process, data and things(these are ...
2 comments
Read more

Introduction to Machine Learning – ML

Machine Learning – ML ML is one of the hot buzz word now, let me explain what it is and why it is? In traditional programming, we feed data and program to a computer to get output, but in Machine learning, we feed data and output to a system to generate algorithm or programming for that data to find a pattern. So that we can forecast the results of new set data by applying the pattern which has found on existing data. This is a simple definition to understand ML concept. ML gives computer systems the ability to learn the data, without being programmed explicitly. Day to day growing internet traffic makes human thinking and analysis of data to limited. To do this we need a machine which can analyze the huge data and find a pattern on that data. This is what machine learning does. It is a continuously developing field.  Example: Facial recognition technology allows social media platforms to help users tag and share photos of friends.  Python  if a popular language fo...
Post a Comment
Read more

Introduction to Augmented Reality (AR)

Introduction to Augmented Reality (AR) AR is an enhanced version of reality. It’s an integration of digital information with the User's environment in real time. AR is different from Virtual Reality (VR). Virtual Reality creates an artificial environment and Augmented reality  uses the existing environment and overlays new information on top of it. Its  where live direct or indirect views of physical real-world environments are  augmented  with superimposed computer-generated images over a user's view of the real-world, thus enhancing one's current perception of  reality . It’s how you work, play and connect with the world. AR is rapidly growing technology, because it brings the objects to reality. Key Components to Augmented Reality Devices       Sensors and Cameras       Projection       Processing       Reflection Many of the  top augmented reality companies  are se...
Post a Comment
Read more