New Paste Jacking Method – A Threat During the Holidays

The new technique dubbed “ConsentFix” has a lot of similarities with ClickFix/FileFix, AiTM phishing, and OAuth Consent Phishing. Like these it involves websites manipulated to display fake messages that claims visitors are required to prove they are human and not a bot.

“ConsentFix” is a form of browser-native Paste jacking attack that phishes an OAuth token on a target app by getting the victim to copy and paste a URL containing OAuth key material into a phishing page.

Essentially, the attacker tricks the victim into logging into Azure CLI, by generating an OAuth authorization code, visible in a localhost URL, and then pasting that URL (including the code) into an attacker-controlled page. This then creates an OAuth connection between the victim’s Microsoft account and the attacker’s Azure CLI instance. [1]

In the past, Paste jacking methods have been attributed to a threat actor that sell access to ransomware actors.

Recommendations

All variants on Paste jacking relies on the same basic method. Tricking users into pasting information, like a URL or a code string, into a malicious web site or a Windows command prompt.

Attacks like these can pose an additional threat during holidays. Some personnel might be working from home with critical projects that needs to be finished before the end of the year, while security and helpdesk functions often only have minimum staffing over the holidays.

Truesec recommends alerting personnel about this type of attack and to tell them to never copy/paste data into these fake captcha sites. No legitimate service requires you to paste links or data into a browser or a Windows command prompt as a means of proving you are not a bot.

References

[1] https://pushsecurity.com/blog/consentfix