Phishing is one of the most well-known and widely used hacking methods. There are many different types of phishing; whale phishing, spear phishing, vishing and smishing, just to name a few. But a newer form of phishing has emerged, namely consent phishing.
What is consent phishing?
Consent phishing is slightly different from some of the other types of phishing that exist. It requires some type of success for the hacker - namely, that they have managed to get authorization to log in to the victim's profile.
The attacks involve the use of malicious apps and legitimate providers, including OAuth. OAuth is basically "Open Authentication", which means that it's a free and open service that is used to identify a user. It's often services like Google (e.g. Gmail) that use OAuth.
As with so many other phishing attacks, it all starts with a phishing email from the hacker. For example, they pretend to be someone from a public institution so that you trust the sender.
Consent phishing is used to access cloud-based profiles where you already are logged in - hence the following example of Google Workspace.
Example: How the hacker gets in
If we imagine that you are working in Google Workspace, you suddenly get an email from a Google employee. They say that you need to log in to your Google Workspace and perform an action. This could e.g. be to verify your identity.
Now the "Google employee" will send you a link. They claim it will take you to the Google Workspace login page. If you continue not to think about the email, you will gullibly click on the email and the link in it.
Now, this is where consent phishing differs from the regular type of phishing. The link will take you to a page where you have to give consent for "Google" to collect data. The hacker uses a malicious app, but links it to a legitimate provider - therefore clicking on the link seems safe.
It all seems legitimate, so many people will fall for the phishing scam. However, once the hacker has the victim's consent, they can access the data stored on the Google Workspace drive.
The reason for consent phishing
Now you might be asking yourself, Why would the hacker want access to someone else's cloud drive? When it comes to cybercrime, personal data is invaluable. Both for the victim, but also for the hacker.
Personal data has a high market value on the dark web. It is also a valuable bargaining chip for the hacker. It will often be used for ransomware, allowing the hacker to make large sums of money from the stolen data.
In addition to selling the personal data, hackers will often exploit banking information from the victim. By having the bank details, the hacker can transfer freely between the victim's accounts and the hacker's. Typically, the hacker will also buy cryptocurrency and then transfer the currency to themselves. Cryptocurrencies are anonymous in the sense that it is not possible to trace who is sending or receiving it.
However, it is rare for cloud-based data to contain banking information. But it can contain personal data that can help the hacker to access the victim's online banking.
The hacker typically targets employees' cloud base, as they also have access to company information. This often relates to customer data. This is valuable to the company, the customers and the hacker. The more data the hacker possesses, the more money they can make.
How to avoid consent phishing
As mentioned, it is often companies that are in the hacker's sights. Therefore, it is also the cloud-based databases that they want to hit - Google Workspace and Microsoft Azure are examples of databases that are obvious to hit.
Therefore, it is important to train employees in cybersecurity with awareness training so that the company can better avoid falling into the trap.
Many people are not aware of the indicators of phishing - for this reason, they need to be trained on how to spot phishing. The training will be invaluable in the end - by avoiding phishing, you can more effectively avoid hacking attacks. And that way, you also avoid losing thousands of dollars to ransomware attacks.
In addition, you can also give employees an overview of which approved apps and websites they can access on their work devices. This prevents them from clicking on an illegitimate website that could potentially lead to consent phishing.
Multifactor Authentication (MFA) is another good and secure way to avoid hackers. It is much more difficult for hackers to penetrate MFA, as it often requires access to multiple devices or biometric data that they cannot get hold of.
Avoid consent phishing
As described here, consent phishing is unfortunately a little harder to recognize than many other types of phishing. It is an effective way for hackers to get into the cloud and view companies' data.
Fortunately, there are various measures you can consider implementing to get around consent phishing. Awareness training is key to educating employees about phishing, including consent phishing. In addition, you can secure users with MFA and increased security around key websites. This will hopefully keep the hacker out of your company's systems and keep your customers' and employees' data safe.
Caroline is a copywriter here at Moxso beside her education. She is doing her Master's in English and specializes in translation and the psychology of language. Both fields deal with communication between people and how to create a common understanding - these elements are incorporated into the copywriting work she does here at Moxso.