Phishing is a massively popular cybercrime tactic used by threat actors around the world. Over the years, phishing has diversified into a range of different types, including consent phishing. But how exactly does consent phishing work, and is it a threat to you?

Consent phishing is a phishing tactic that requires some level of authentication to be successful. These attacks involve the use of malicious apps to be successful, with OAuth apps being a particularly popular choice. Let's run through an example of consent phishing with a harmful OAuth app to understand how the process works.

As is often the case with phishing in general, consent phishing attacks begin with an email, wherein the attacker claims to be an official entity. Because consent phishing is used to access cloud storage accounts, we'll use Google Workspace as an example. Note that accounts that have already been logged into are targeted in consent phishing.

Let's say that an attacker emails a target claiming to be a Google employee. Within this email, the attacker will tell the target that they need to log into their Google Workspace account to perform some kind of function. For example, the target may be told that they need to log in to verify their identity.

The attacker will provide a link within their email, which they claim leads to the Google Workspace login page. If the target remains unaware of the scam, they may then click on the link.

man using laptop in dark room with black and white filter

This is the point at which consent phishing differs from typical credential phishing. In the next step of the attack, the threat actor will use a malicious app hosted by a legitimate provider to access the victim's data. When the victim clicks on the malicious link, they'll be taken to a permissions page, where they'll be asked to grant the provider certain access.

Because the victim believes they are dealing with a legitimate page, it's likely that they'll grant these permissions. However, at this point, attacker has been granted access to the victim's Google Workspace account.

But why would an attacker want access to someone's cloud storage account?

In the cybercrime game, data can be invaluable. There are various kinds of information that an attacker can leverage towards their own benefit, such as payment information. But it's unlikely that a cloud account will contain such data. So, what's the point of consent phishing?

A lot of attackers tend to target organizational cloud storage accounts to access company data. Such data can be useful in a number of ways.

Firstly, the attacker may be able to sell the organizational data on a dark web marketplace. Such illicit corners of the internet are hugely popular among cybercriminals, as huge profits can be made via the sale of data. Cybercriminals can also steal company data and demand a ransom for its return, which can turn out to be more profitable than simply selling that data on the dark web. That is, if they don't do that as well...

Computer screen showing security tab

Consent phishing is often used against organizations rather than individuals (that's why Google Workplace is a good example; it's ideal for companies). So it's important that company leaders educate their staff on how consent phishing works. Many people are completely unfamiliar with phishing and the red flags they should look out for, so showing employees how to identity a possible scam email can be invaluable to the company's security.

Additionally, it may be worth having a list of pre-authorized apps that a given employee can access on their work devices. This can eliminate the chance of any member of staff unknowingly granting permissions to a malicious app.

Employing other security measures can also be beneficial, such as anti-spam filters and Two-Factor Authentication (2FA).

Protect Your Data by Knowing What to Look For

Consent phishing, and phishing in general, can have devastating consequences. This kind of cyberattack is worryingly effective at swindling victims. However, there are ways to pick up on consent phishing and stop it in its tracks. Through education and vigilance, you can protect your data effectively, keeping it out of the hands of malicious actors.