When checking the URL isn’t enough: a Device Code Phishing attack via a Microsoft website


One of the most common pieces of anti-phishing advice is to double-check the website’s domain name before providing your credentials. Typically, a fraudulent domain stands out to the trained eye, differing from the official URL by at least a few characters. Recently, however, Kaspersky encountered a campaign where attackers instruct victims to input data directly into a legitimate, trusted corporate site: the Microsoft Identity Platform, which supports an OAuth 2.0 specification known as the Device Authorization Grant.

This specific protocol extension was designed to simplify the login experience for smart TVs, IoT hardware, printers, and other input-constrained devices that lack a full browser or keyboard. It allows users to use a nearby smartphone or PC for authorizing these devices to access their accounts.

Read more…
Source:  Kaspersky


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • Cyber attack hits South Korean government institution, $135,000 lost

    July 16, 2023

    According to Korean media reports, the Institute for Startup Promotion, operating under the Ministry of SMEs and Startups, transferred 175 million won (135,000 USD) to an overseas criminal group after being tricked by a sophisticated e-mail phishing scheme. The unfortunate event serves as a stern reminder of the increasing need for enhanced cybersecurity measures in both ...

  • WormGPT, PoisonGPT: How generative AI can become a tool for criminals

    July 15, 2023

    A cybersecurity firm discovered a new generative artificial intelligence tool called WormGPT that is being sold to criminals. Another firm created a malicious generative AI tool called PoisonGPT to test how the technology can be used to intentionally spread fake news online. These tools are the latest examples of how generative AI can be used by ...

  • Analysis of Storm-0558 techniques for unauthorized email access

    July 14, 2023

    As described in more detail in our July 11 blogs, Storm-0558 is a China-based threat actor with espionage objectives. Beginning May 15, 2023, Storm-0558 used forged authentication tokens to access user email from approximately 25 organizations, including government agencies and related consumer accounts in the public cloud. No other environment was impacted. Microsoft has successfully ...

  • Victorian government documents released on dark web after cyber attack

    July 14, 2023

    Victorian government legal files have been released on the dark web by criminals after a major cyber attack on law firm HWL Ebsworth. Victoria’s Chief Information Security Officer David Cullen on Friday said HWL Ebsworth had confirmed government information had been posted. The law firm was hit by a cyber incident in late April when information ...

  • Detecting BPFDoor Backdoor Variants Abusing BPF Filters

    July 13, 2023

    Advanced persistent threat (APT) groups have broadened their focus to include Linux and cloud servers in the past few years. Noticeable examples include ransomware groups targeting VMware ESXi servers, Mirai botnet variants, and groups targeting the cloud with stealers and cryptomining malware. Similarly, APT groups have increased their presence on non-Windows targets. An example is Sandworm ...

  • Cyber attack targets Libyan internet provider LTT

    July 13, 2023

    The Libyan Post Telecommunications & Information Technology Company (LPTIC) said Wednesday that the data center of Libya Internet and Technology, the state-run internet provider, came under a cyber attack which led to disruption of services. In a statement, the LPTIC added that unknown attacker attempted to hack the data center but its cybersecurity team and LTT ...