URL spoofing enables targeted social engineering attacks. Varonis warns against fake vanity URLs on Zoom and Google. Varonis Threat Labs have discovered vulnerabilities in Zoom, Box and Google Docs that allow cybercriminals to easily forge invite URLs.
As a result, phishing links appear trustworthy even for trained employees, which significantly increases the likelihood of a successful attack: If they click on the link of their supposed employer, customer or partner, they will be taken to a phishing page that looks authentic and where they can be found to reveal sensitive data such as passwords and personal information.
Depending on the social engineering technique, this information appears to the user as quite plausible. For example, you could be invited to a current internal webinar due to an alleged cyber attack, before which the password would first have to be changed. While Box has closed this vulnerability, such manipulations are still possible with Zoom and Google.
What are vanity URLs?
Many SaaS applications offer so-called vanity URLs, i.e. customizable web addresses for web pages, forms and links for file sharing. Vanity URLs can be used to create a personalized link such as varonis.example.com/s/1234 instead of app.example.com/s/1234. However, Varonis Threat Labs discovered that some applications do not validate the legitimacy of the vanity URL subdomain (e.g. yourcompany.example.com), only the URI (like /s/1234).
As a result, attackers can use their own SaaS accounts to generate links to malicious content such as files, folders, landing pages, or forms that appear to be hosted by their own company's SaaS account. To achieve this, only the subdomain in the link has to be changed. Accordingly, these fake URLs can be used for phishing campaigns, social engineering attacks, reputation attacks and malware distribution.
Vanity URLs with Zoom
Zoom allows businesses to use a vanity URL like yourcompany.zoom.us to host webinar registration pages, employee login pages, meetings, recordings, and more. Logos can be uploaded and the color scheme can be adjusted. This allows attackers to replace their own URLs with an apparently legitimate domain and make the landing pages look real.
However, as a general rule (though not always) the redirect will result in a pop-up warning informing the user that they are about to access external content that does not belong to their own domain. Nevertheless, these tips are often ignored, especially by less trained employees, so that this way can definitely be an effective attack technique.
Zoom: Registration URL can be changed
For some Zoom webinars, Varonis experts were able to change the registration URL to include any company's subdomain without triggering an alert. In this way, malicious webinar registration forms can be used to intercept employees' or customers' personal information or passwords.
As such, Varonis Threat Labs urges caution when using Zoom links, particularly those containing ".zoom.us/rec/play/," and not to enter sensitive personal information in meeting registration forms, even if the form is on a official subdomain appears to be hosted with the correct logo and branding. Zoom is currently working on a solution to these problems.
Trap: Google Docs and Google Forms
Web applications that do not have a dedicated vanity URL feature can also be exploited in a similar way. For example, Google forms in which confidential data is requested can be provided with the logo of the respective company and distributed to customers or employees as yourcompany.docs.google.com/forms/d/e/:form_id/viewform to provide a legitimate to appear. Likewise, any Google Doc shared through the Publish to Web option can be spoofed. Google is currently working to fix this problem.
More at Varonis.com
About Varonis Since its founding in 2005, Varonis has taken a different approach than most IT security providers by placing company data stored both locally and in the cloud at the center of its security strategy: sensitive files and e-mails, confidential customer, patient and Employee data, financial data, strategy and product plans and other intellectual property. The Varonis data security platform (DSP) detects insider threats and cyber attacks through the analysis of data, account activities, telemetry and user behavior, prevents or limits data security breaches by locking sensitive, regulated and outdated data and maintains a secure state of the systems through efficient automation .,