When checking the URL isn’t enough: a Device Code Phishing attack via a Microsoft website


One of the most common pieces of anti-phishing advice is to double-check the website’s domain name before providing your credentials. Typically, a fraudulent domain stands out to the trained eye, differing from the official URL by at least a few characters. Recently, however, Kaspersky encountered a campaign where attackers instruct victims to input data directly into a legitimate, trusted corporate site: the Microsoft Identity Platform, which supports an OAuth 2.0 specification known as the Device Authorization Grant.

This specific protocol extension was designed to simplify the login experience for smart TVs, IoT hardware, printers, and other input-constrained devices that lack a full browser or keyboard. It allows users to use a nearby smartphone or PC for authorizing these devices to access their accounts.

Read more…
Source:  Kaspersky


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • Attackers Distribute Malware via Freeze.rs And SYK Crypter

    August 9, 2023

    FortiGuard Labs recently detected a new injector written in Rust—one of the fastest-growing programming languages—to inject shellcode and introduce XWorm into a victim’s environment. While Rust is relatively uncommon in malware development, several campaigns have adopted this language since 2019, including Buer loader, Hive, and RansomExx. FortiGuard Labs analysis also revealed a significant increase in injector ...

  • Personal data of at least 26,212 people accessed in ransomware attack, Dallas tells state

    August 9, 2023

    Computer hackers accessed the personal information of at least 26,212 Texans in the recent ransomware attack on the city of Dallas, according to an official disclosure made public Monday on the Texas attorney general’s web site, three months after the breach. The city’s notice to the attorney general’s office says the data breach included names, addresses, ...

  • Paracetamol maker Granules India’ Q1 profit hurt by cyber attack disruptions

    August 9, 2023

    Granules India Ltd the maker of paracetamol and ibuprofen pain relievers, reported a 62.5% fall in first-quarter profit on Wednesday, as a cyber security incident significantly disrupted operations. The generic drug maker’s consolidated net profit tumbled to 478.9 million rupees ($5.8 million) in the April-June quarter, from 1.27 billion rupees a year earlier. Granules faced a ...

  • Northern Ireland: Major data breach identifies thousands of police officers and civilian staff

    August 8, 2023

    The Police Service of Northern Ireland (PSNI) has apologised for mistakenly revealing details of all its 10,000 staff. NI’s Police Federation said the breach could cause “incalculable damage”. In response to a Freedom of Information (FoI) request, the PSNI had shared names of all police and civilian personnel, where they were based and their roles. The ...

  • UK Elections watchdog targeted by cyber attack which left voters’ details exposed

    August 8, 2023

    Details of tens of millions of voters could have been accessed by hackers who targeted the elections watchdog. The Electoral Commission revealed on Tuesday it was targeted by a cyber attack which allowed “hostile actors” to access electoral registers. The hack allowed the attackers to access reference copies of electoral registers which contained the name and addresses ...

  • Clustering attacker behavior reveals hidden patterns

    August 8, 2023

    A collection of very specific behaviors, observed by Sophos X-Ops incident response analysts in the lead-up to four separate ransomware attacks in the first quarter of 2023, indicates an unexpected connection between the attacks. In the parlance of the Managed Detection and Response (MDR) team, the peculiarly similar details constitute a threat activity cluster that ...