The technique mimics the visual cues that a new browser window has popped up, asking for your login credentials for a well known service. The proof of concept shows a pointer clicking on a button on a webpage and then (what appears to be) Microsoft’s SSO (single sign-on) page popping up. The user can even drag this window around by the title bar, making it seem like it’s a new window. However, it’s just an image drawn on the attacker’s website. This was the second story in as many weeks to mention SSO and data breaches, so you may be wondering: what’s going on with Single Sign-On, and is it secure?
Can you Trust SSO?
SSO is a web technology that allows you to use a login from a well known and trusted company, such as Microsoft or Google, to sign-in to another site or service. If you’ve ever used your Google account to sign in to Zoom, for instance, you were asking Zoom to ask Google if you are you. This is a good thing for smaller services, since you don’t need to give them a new login and password, and you don’t have to trust a new company to protect your login information (although that’s not that big of an issue if you’re already practicing good password hygiene). On the other hand, this is one way for third-party services to gain access to information on some platforms, so be careful what permissions you give these services.
The reason why the BitB attack uses the image of an SSO page is because it leverages the trust you put in a large company, and because a lot of people using the internet use these credentials to sign-in to some other services. The attacker’s site is simply dressed up as something that the highest possible number of people feel comfortable logging-in to.
Typically, SSO is a secure way to sign in to services, and its most important flaw for users is: if an account that you use as a SSO is compromised, then all of the linked accounts are as well. Often, companies use SSO because they don’t want to manage identity and authentication themselves and want to leave it to a bigger company.
A major provider of SSO services, Okta, recently disclosed that they had an intrusion on their network. The intruder was able to gain access through an attack on their customer support provider, compromising part of their network by targeting an older part of their network that wasn’t decommissioned when it should have been—a story that we’ve seen a few times now. The Okta attack doesn’t seem to be related to the recent disclosure of an intrusion on Microsoft’s network, although, confusingly, the same hacking group took credit for both. What is important here is that the problem wasn’t SSO infrastructure; the problem was Okra’s old VPN, which allowed attackers to gain some customer information.
Protecting Yourself from the New Phishing Threat
The BitB attack is just a more polished version of the usual phishing scams that try to trick you into entering credentials for something else. In this version, it’s virtually impossible to tell if you’re looking at the real site or a fraudulent one unless you notice that the fake window looks different than your browser. A simple way to help you notice this is to change the color of your browser to something other than the default and to pay closer attention to the look of your address bar.
Over the past year or so, Chrome has been getting closer to ditching the secure connection lock icon in the address bar, because it gives users a false sense of security. The https (SSL) protocol doesn’t guarantee that the site is safe, just that your browser is communicating securely with the server it is connected to. Secure connections to an illegitimate site are unsafe connections if you’re handing data over to a scamster. Although the BitB attack obfuscates the fact that you are on an unsecured connection with the attacker’s page, a secure connection may only stop a third party from snooping on the data you send over it.
As another variation of a phishing attack, the BitB attack reminds us to be vigilant about email and text message security. While we’re all somewhat vulnerable to this attack, we can verify attachments and links before clicking or downloading, use secure channels of communication for sensitive data, and use strong (MFA) authentication on our email accounts to stay ahead of most attackers. As usual, it’s not foolproof, but when it comes to cyber security, nothing really is. These steps will at least help protect you from attacks that are preventable.
-Written by Derek Jeppsen on Behalf of Sean Goss and Crown Computers Team