When checking the URL isn’t enough: a Device Code Phishing attack via a Microsoft website


One of the most common pieces of anti-phishing advice is to double-check the website’s domain name before providing your credentials. Typically, a fraudulent domain stands out to the trained eye, differing from the official URL by at least a few characters. Recently, however, Kaspersky encountered a campaign where attackers instruct victims to input data directly into a legitimate, trusted corporate site: the Microsoft Identity Platform, which supports an OAuth 2.0 specification known as the Device Authorization Grant.

This specific protocol extension was designed to simplify the login experience for smart TVs, IoT hardware, printers, and other input-constrained devices that lack a full browser or keyboard. It allows users to use a nearby smartphone or PC for authorizing these devices to access their accounts.

Read more…
Source:  Kaspersky


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • CISA Releases Seven Industrial Control Systems Advisories

    July 18, 2023

    CISA released seven Industrial Control Systems (ICS) advisories on July 18, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-23-199-01 Rockwell Automation Kinetix 5700 DC Bus Power Supply Series A ICSA-23-199-02 Keysight N6845A Geolocation Server ICSA-23-199-03 Iagona ScrutisWeb Read more… Source: U.S. Cybersecurity and Infrastructure Security Agency  

  • Fortescue Hit by Cyber Attack That Saw Network Data Disclosed

    July 18, 2023

    Fortescue Metals Group Ltd. said it had been subject to a cyber attack that resulted in “the disclosure of a small portion of data from our networks.” The world’s fourth-largest iron ore exporter described the attack as “a low impact cyber incident” that occurred on May 28. The information disclosed “was not confidential in nature,” the ...

  • DDoS threat report for 2023 Q2

    July 18, 2023

    The second quarter of 2023 was characterized by thought-out, tailored and persistent waves of DDoS attack campaigns on various fronts, including: Multiple DDoS offensives orchestrated by pro-Russian hacktivist groups REvil, Killnet and Anonymous Sudan against Western interest websites. An increase in deliberately engineered and targeted DNS attacks alongside a 532% surge in DDoS attacks exploiting the Mitel ...

  • NSA, CISA Release Guidance on Security Considerations for 5G Network Slicing 

    July 17, 2023

    Today, the National Security Agency (NSA) and CISA published 5G Network Slicing: Security Considerations for Design, Deployment, and Maintenance. This guidance—created by the Enduring Security Framework (ESF), a public-private cross-sector working group led by the NSA and CISA—presents recommendations to address some identified threats to 5G standalone network slicing, and provides industry recognized practices for ...

  • IOCTA 2023: forget hackers in a hoodie, cybercrime has become a big business

    July 17, 2023

    Forget the cliché of a solitary figure in a hoodie hunched over a keyboard in a dark room crunching lines of codes. It is an image that no longer accurately reflects today’s cybercrime landscape, where criminals operate as business-like syndicates across borders. Europol’s ninth Internet Organised Crime Threat Assessment (IOCTA), whose first module is published today, ...

  • US energy department, other agencies hit in global hacking spree

    July 16, 2023

    The U.S. Department of Energy and several other federal agencies were hit in a global hacking campaign that exploited a vulnerability in widely used file-transfer software, officials said on Thursday. Data was “compromised” at two entities within the energy department when hackers gained access through a security flaw in MOVEit Transfer, the department said in a ...