When checking the URL isn’t enough: a Device Code Phishing attack via a Microsoft website


One of the most common pieces of anti-phishing advice is to double-check the website’s domain name before providing your credentials. Typically, a fraudulent domain stands out to the trained eye, differing from the official URL by at least a few characters. Recently, however, Kaspersky encountered a campaign where attackers instruct victims to input data directly into a legitimate, trusted corporate site: the Microsoft Identity Platform, which supports an OAuth 2.0 specification known as the Device Authorization Grant.

This specific protocol extension was designed to simplify the login experience for smart TVs, IoT hardware, printers, and other input-constrained devices that lack a full browser or keyboard. It allows users to use a nearby smartphone or PC for authorizing these devices to access their accounts.

Read more…
Source:  Kaspersky


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • Millions of iOS apps could have been hit by cyberattack due to a worrying flaw

    July 3, 2024

    A key tool used primarily in iOS and macOS app development was vulnerable in a way that opened up millions of Mac apps to supply chain attacks, experts have warned. Cybersecurity researchers EVA Information Security claim a dependency manager for Swift and Objective-C projects called CocoaPods, carried three vulnerabilities in a “trunk” server used to manage ...

  • High-Risk Path Traversal in SolarWinds Serv-U

    July 3, 2024

    The SonicWall Capture Labs threat research team became aware of a path traversal vulnerability in SolarWinds Serv-U, assessed its impact and developed mitigation measures. Serv-U server is a solution that provides a secure file transfer facility and control inside and outside the organization. Identified as CVE-2024-28995, SolarWinds Serv-U 15.4.2 HF 1 and previous versions allow an ...

  • Apple IDs Targeted in US Smishing Campaign

    July 2, 2024

    Phishing actors continue to target Apple IDs due to their widespread use, which offers access to a vast pool of potential victims. These credentials are highly valued, providing control over devices, access to personal and financial information, and potential revenue through unauthorized purchases. Additionally, Apple’s strong brand reputation makes users more susceptible to trusting deceptive communications ...

  • Vulnerabilities in PanelView Plus devices could lead to remote code execution

    July 2, 2024

    Microsoft discovered and responsibly disclosed two vulnerabilities in Rockwell Automation PanelView Plus that could be remotely exploited by unauthenticated attackers, allowing them to perform remote code execution (RCE) and denial-of-service (DoS). The RCE vulnerability in PanelView Plus involves two custom classes that can be abused to upload and load a malicious DLL into the device. The ...

  • Prudential Financial data breach impacts 2.5 million people

    July 2, 2024

    In February 2024, Prudential Financial reported it had fallen victim to a ransomware attack. The attack was discovered one day after it started, but not before some 2.5 million people had been impacted by the resulting data breach. As one of the largest insurance companies in the US, Prudential employs 40,000 people worldwide and reported revenues ...

  • Cisco Releases Advisory for Exploited Vulnerability in NX-OS software

    July 2, 2024

    Cisco has released a security advisory for a vulnerability in the command line interface (CLI) of the NX-OS software in Nexus series switches, which are modular and fixed port network switches designed for data centres. The command injection vulnerability known as CVE-2024-20399 has a CVSSv3 score of 6.0 and is rated at Medium by Cisco. An ...