The recent reports warning users about a phishing attack that’s been targeting Gmail users with a high degree of effectiveness have caught the attention of security professionals, but the attack should in fact pose little risk to many enterprise users.
Our security researchers have determined the current version of the attack attempts to exfiltrate user credentials to a website - already categorized as “malware” - by at least one reputation service used by URL filters. Default policy for URL filters is to block malware sites, preventing the attack from succeeding.
However, security teams should still be wary of the exploit. Cato researchers found that some reputation services did not categorize the exfiltration domain as malicious at the time of this writing. Even for ones that do, attackers frequently switch domains in their attacks.
To prevent future compromise, network managers should consider revisiting an old, but somewhat controversial approach to web security: warning or even blocking users from visiting web sites that are uncategorized by URL filters.
In the instance of the attack, the scam started with an email sent to the targeted user with an attached image of an innocuous-looking file, such as a PDF document. Clicking on the file should give a preview of the attachment, but in fact opens a new tab, prompting the user to sign into Gmail again. The screen looks identical to the normal Gmail login, but page is a fake, locally generated with a data URI - a URL prefixed with the “data:” scheme - allowing content creators to embed small files inline in documents.
This particular data URI contains many spaces pushing the Javascript code at the end of the URL that renders the phishing page out of view on many monitors. Locally generated, offline, data URIs bypass network-based URL filters. As such, URL filtering will not stop users from visiting the page and providing their credentials.
Once a user completes the login, the attack will attempt to exfiltrate credential data to an attacker-owned domain.
Time to Block Uncategorized Sites?
User education is notoriously difficult for organizations - so this makes URL filters or secure web gateways even more important as another line of defense.
However, some reputation service providers did not categorize the domain as dangerous at the time of this writing. Furthermore, even companies whose URL filter blocks the existing domain, care needs to be taken as attackers often change the domains used in their attacks. These relaunched sites are so new; they aren't yet classified by reputation services. All of which is a good reason to set up rules to block or warn users visiting uncategorized sites.
Traditionally, security teams have been reluctant to block all uncategorized sites due to the user impact. This is more than just a usability concern. Unable to access uncategorized sites, users will open trouble tickets with helpdesk, increasing the load on those personnel. Yet in light of the effectiveness of the attack, the risk of an uptick in support calls (or even the impact on user satisfaction) may well be worth the benefit of protecting the users.
For most organizations with typical web access patterns, a small percentage of visits are to uncategorized sites. Yes, there are exceptions, universities providing access to users with unknown requirements or companies engaged in research, are those that come to mind.
However for retailers, financial institutions, manufacturing and more, there’s normally a well-known set of sites users visit or should be visiting.
Given the risk posed by these types of attacks and the ever-changing URLs associated with them, it is time for many companies to reconsider filtering out uncategorized sites rather than risking a destructive breach.
To do this, a company must enact a policy that will to protect its network. First, the company should enable URL-filtering in the organization by setting-up a policy that will block both malicious and uncategorized domains. This can be achieved by using a properly defined web-filtering policy that can be defined and executed on within the company’s own secure-web gateways.
Once a policy like the one outlined above is put in place, an enterprise will be prepared to block future attacks involving uncategorized sites such as the Gmail phishing scam. It’s a necessary step to take in securing the network as more sophisticated attacks are created.