Criminals using fake Single Sign Ons to steal credentials

News by Rene Millman

Security researchers have warned that criminals are faking login pages from popular single-sign on (SSO) websites to steal victim's credentials.

The increasing availability and adoption of SSO on popular websites appears to have led to an increase in phishing pages that pretend to be SSO pages according to a blog post by researchers at Sucuri.
Luke Leal, a malware researcher at Sucuri, said that SSO is very convenient for most users. It means they don’t need to manage an ever-increasing list of login credentials, and can instead use a single login credential to authenticate with various services.
But malicious pages have been discovered to replicate popular services’ login processes like Dropbox or Docusign.
"Instead of logging in to the intended service, the users’ SSO login credentials are phished and passed off to bad actors," he said.
He added that phishing pages inform users that they can log into a third-party service (like Dropbox) by using their SSO email account from one of the popular providers.
Leal said that prior to SSO’s popularity, this was not common phishing tactic. "It would be highly unusual for someone to enter their email address and password when they were trying to log into a third-party service," he said.
In his investigations, he noted that in the past phishers would commonly set up individual phishing pages tailored to replicate the login page of each email provider. 
"For example, the phishing pages for Google, Hotmail, or AOL would exist in various subdirectories so that campaigns can replicate the address bar URL of each targeted service," he said.
Leal said that to mitigate damage in the event that your login information is compromised, the best solution is to use two-factor authentication.
"Two factor authentication makes it much more difficult for bad actors to access your account, as they require a secondary authentication method to complete the login process. We suggest avoiding SMS authentication whenever possible, as SMS messages can be intercepted and are not as secure as other multi-factor authentication methods," he added.
Javvad Malik, security awareness advocate at KnowBe4, told SC Media UK that the use of SSO, or other authentication mechanisms not only creates convenience for users, but also helps make sites more secure. Especially for smaller companies that may not have the resources to deploy strong authentication, leveraging SSO from sites like Google can benefit all parties.
"And while these measures tighten the technical controls and limit technical attacks that can be launched, it pushes criminals further down the route of attacking the user though phishing or other social engineering attacks. It's therefore important that along with better technical controls, including multi-factor authentication, users need to be made aware of the risks of phishing attacks, how to spot them, and how to report if they fall victim," he said.
Jake Moore, cyber-security specialist at ESET, told SC Media UK that it’s imperative to only use single-sign-on with websites where you know the URL to be correct. 
"Phishing emails are becoming more effectively constructed and better at influencing people into handing over passwords and/or other personal information," he said.
 
"I personally still prefer using a password manager which stores all your unique passwords separately. This then protects you from losing all your SSO password should a phishing email nefariously steal it. Having separate passwords for different accounts limits the amount of data that can be breached if a password is stolen."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews