Cloud Phishing Risks and Mitigation

Shimrit Tzur-David | February 13, 2020

If you’re running your business in the cloud, you need secure authentication

Most of us underestimate the ramifications of password hacks and cloud phishing attacks. If your password falls into the wrong hands, a hacker will gain access to sensitive information, siphon your bank account, or do some other evil act that will inflict damage on your person or organization.

But when you’re running a business in the cloud, a hijacked account can have much more devastating consequences, and affect not only your brand and reputation but the privacy and security of your customers.

In late August, several customers of United Rentals, the world’s largest equipment rental company, reported receiving phishing emails that contained booby-trapped links with malicious content. The emails seemed to come from UR and prompted them to pay for purchases they had not made.

United Rentals Phishing Emails - Secret Double Octopus

In most phishing attacks, hackers go to great lengths to register domains that look legitimate and use them to lure their victims and trick them into clicking their malicious links. But in this case, the hackers had access to UR’s official domain and used it to make their phishing emails look very legit. The URL in the phishing emails sent the customers to a page on United Rentals’ own website.

In other words, instead of setting up a front and using a back-alley method to ensnare their victims, the attackers smashed right through the front door and used a totally official and acceptable front to draw their targets into their cloud phishing scam.

But how could the attackers create authentic links to UR’s domain? As in many similar stories, the attack started with a password hack. 

How hackers used poor password protection to gain access to an official domain

After reports of the phishing scam surfaced, United Rentals was quick to reject any breach in its systems and stipulated that the campaign was conducted through a “third-party” system that had access to its domain.

Like many other companies, United Rentals relies on cloud services to several parts of its business. In this specific case, the hackers carried out their attack through Pardot, an email marketing service owned by CRM giant Salesforce. Companies that use cloud-based CRM services like Salesforce sometimes dedicate a domain or subdomain to their CRM provider and allow service to send emails that appear to come directly from the company.

According to Salesforce, the attackers had been able to compromise a Pardot account that had not been protected with multi-factor authentication, though Salesforce did not disclose the details of how the Pardot account was compromised. But there are many known ways that hackers can hijack an online account that is only protected with passwords. In fact, there are countless stories in which hackers managed to compromise accounts or entire machines just by leveraging password vulnerabilities.

Why hackers are interested in cloud services with poor password protection

The United Rentals hack is just one of several recent hacks in which hackers used cloud services as a beachhead to launch cloud phishing campaigns. Earlier this year, security vendor Netskope published findings by its researchers that showed a recent trend among attackers to send phishing emails and SMS messages with links to malicious sites and content hosted on cloud services such as Amazon Web Services (AWS), Microsoft Azure, Alibaba Cloud, and Google Docs.

Of particular concern are CRM services, because customers usually have a high level of trust in them and view their data and associated links as internal, even though they are hosted in the cloud.

According to recent stats from the Anti-Phishing Working Group, software-as-a-service providers accounted for 36 percent of all phishing attacks in the first quarter of 2019. This includes CRM and webmail providers.

In classic phishing attacks, hackers must purchase and register a new domain on which they will host their malicious content. Afterward, they embed links from that domain into their phishing emails. The problem with this method is that registering new domains can be cumbersome. Also, most popular email services quickly blacklist newly registered domains as soon as they’re associated with phishing attacks. This means the hackers must pay for and register a new domain to continue their campaign.


Anti Phishing Group statsistics - Secret Double OctopusIn contrast, trusted domains from known companies and popular cloud services will never be blacklisted, which makes them attractive and low-cost venues for cybercriminals to host malicious content. This allows the attackers to circumvent the domain filters of anti-phishing tools.

What does this mean for your company?

The United Rentals hack is a warning to all companies that are running their businesses (or part of their operations) in the cloud. Passwords are poor protection for your cloud accounts. Moreover, hackers are interested in hacking your cloud accounts, not only to target your organization but to also use your assets as channels to conduct attacks against your customers and anyone else that trusts you. This gives them an incentive to put in extra effort to hack your accounts and weaponize them for their purposes.

Many security experts recommend that organizations should start educating users about the dangers of blindly clicking on links to cloud services. 

But an even stronger defense against cloud phishing attacks is to make sure your cloud accounts are hijack-proof and can’t be overtaken by cybercriminals. As we have seen in these pages time and again, the safest password is one that doesn’t exist. In past years, thanks to advances in passwordless authentication, organizations have implemented solutions that can provide robust protection against cloud phishing attacks. With the advent of new technology standards such as WebAuthn and FIDO2, more and more popular cloud services support passwordless authentication.

Passwordless solutions such as Secret Double Octopus provide security and ease-of-use, fulfilling the needs of both users and IT security teams. By removing passwords from the authentication process, organizations can rest assured that their online assets, their information and their customers are protected from hackers. Organizations should also vet third-party contractors to make sure they employ secure authentication technologies and are committed to protecting their online accounts.

The folks at United Rentals learned this the hard way. Others shouldn’t go through the same experience.