How to stop users from shooting themselves in the foot

Earlier this month, Germany and South Korea issued a joint cybersecurity advisory warning about an advanced persistent threat (APT) group that’s been working out of North Korea since 2012 and which recently attempted to cajole spear-phishing targets into installing a malicious Chrome extension — called “AF” — that steals Gmail messages. 

Mandiant calls the group APT43. It’s also tracked as Kimsuki, Kimsuky or Thallium. Its business is what you’d expect out of North Korea: cyberespionage aimed at foreign policy and nuclear security, harvesting credentials and social-engineering to pull off the espionage, and conducting cybercrime to pay the bills for all this dirty work. 

In his April 7 CISO Insights column, Contrast CISO warned that recipients should delete this extension “immediately” if you’re using it.

Of course, there’s nothing new about spear phishing, in which targeted attacks are launched against specific people, organizations or whatever else is of interest to the perpetrators. Spear phishing is, after all, a typical way for cyber intruders to get what they’re after, given that it can lead to credentials harvesting and on from there to network penetration. 

No, it’s not the spear phishing part that Lindner found interesting. Rather, it’s the fact that targets had to pull the trigger so as to shoot themselves in the foot. 

‘Please click here to have your inbox invaded’

As Bleeping Computer reported, South Korean cybersecurity firm  AhnLab described the attack as being triggered by Kimsuky logging in to a victim’s Gmail account with credentials stolen through other phishing campaigns or other means. 

The attackers then exploited the web-to-phone synchronization feature of Google Play, which allows users to install apps on their linked devices from the Play Store app store to install the malware.

“The malicious app the attackers request Google Play to install on the victim's device is submitted on the Google Play console developer site for ‘internal testing only,’ and the victim's device is supposedly added as a testing target,” Bleeping Computer’s Bill Toulas writes. 

The Android malware is a remote access trojan (RAT) that lets the attackers drop, create, delete or steal files; steal contact lists; place calls; monitor or send SMS messages; activate a phone’s camera; perform keylogging; and view the desktop.

Those spying capabilities need to be installed. Before they’re installed, the targeted system gives off an alert to make sure — are you really, really sure? — that you’re OK with a mobile app that’s got a yen to get all up in your business. 

“The system says, ‘Hey, this mobile app is requesting these permissions, requesting X, Y and Z — you know, access to the network, whatever it might be. The same thing with browser extensions,” Lindner explains. “They're specific in what they ask, right? They have to get the installer to approve [of giving the malicious extension] the ability to read. And it wouldn't [specify that the permission is to read] Gmail contents. It would just basically say, ‘Interact with or read the browser window,’ or whatever, which then inherently provides them access to Gmail.”

We are all click-happy zombies

Unfortunately, people simply don't pay enough attention to these “grant XYZ permission” alerts, in spite of the fact that mindlessly clicking “OK” can give dangerous permissions to shady apps. Such dangerous permissions can include unnecessary requests, such as the ability to change system settings, read your list of phone calls or pinpoint your precise location. 

Free virtual private network (VPN) services are a classic example of apps that can leak your IP address or DNS requests, thus exposing your data to third parties. Some even infest your system with malware, install hidden tracking libraries, steal private information or steal your bandwidth. One study of free Android VPN apps found that 84% leak users’ IP addresses, 82% attempt to access sensitive data, 75% use third-party tracking, 38% contain malware and 18% leave you exposed by failing to encrypt your data. 

Take, for example, the Yoga VPN, which topped the list when CNET ranked the worst VPN apps for privacy. CNET found that Yoga asked for six types of dangerous permissions, including reading a user’s phone number, the cell network they’re on and whether they’re on a call. 

Why does it need to know that?

Even more to the point, why do people click “OK” when asked to allow these apps to do all that? 

“Because they don’t care. And/or they don't understand what they're doing, or a combination of both, right?” Lindner says. 

It’s the same thing for browser extensions, he says: “If they think they need something … they're just gonna do it, in general.”

And that's exactly what we ran into with the malicious AF Chrome extension, he notes. “It’s the same thing. People just don't understand what certain permissions mean, but they approve it. And people’s Gmail contents are being stolen because of it.”

And not because AF snuck into the Google Play app store, mind you. Plenty of malicious apps do get into the app stores, but in this case, victims downloaded it themselves by falling for a phishing attack, clicking on an attachment and then clicking “OK” when that malicious extension batted its eyelashes at them. 

Let’s not play the blame-n-shame game

We can’t expect end users not to fall for these attacks, Lindner says. For too long, cybersecurity experts have been fine with reprimands and discipline, thus putting it on the end user. “For too long it’s been like, ‘Oh, my God! You failed! Here’s three phishing tests you need to go through.’ But training, training, training is not going to fix it. I'm sorry, it's just not,” he says.

Instead of expecting end users to suddenly have mass epiphanies about not clicking on attachments and not granting outlandish permissions, what we need to do is to “figure out how to stop those messages from even getting to that person in the first place,” Lindner asserts. “That should be on us as an industry to fix it.”

What are the options? 

One is a solution such as Darktrace, an artificial intelligence- (AI-) powered Intrusion Detection and Prevention (IDP) tool that continuously learns and updates its knowledge of user behavior in order to autonomously prevent, detect and respond to novel, in-progress threats in real time. Contrast uses it. 

Tools like this detect and block thousands of emails and change or remove malicious documents or attachments — dangers that Contrast never sees because they’re dealt with, no user interaction required, thereby neutralizing the danger of potential “OK” or “download” clicking — all with no blame involved. 

That’s the way it should be, Lindner says: Use technology to protect users instead of blaming and shaming them and fruitlessly trying to train the snot out of them.