When checking the URL isn’t enough: a Device Code Phishing attack via a Microsoft website


One of the most common pieces of anti-phishing advice is to double-check the website’s domain name before providing your credentials. Typically, a fraudulent domain stands out to the trained eye, differing from the official URL by at least a few characters. Recently, however, Kaspersky encountered a campaign where attackers instruct victims to input data directly into a legitimate, trusted corporate site: the Microsoft Identity Platform, which supports an OAuth 2.0 specification known as the Device Authorization Grant.

This specific protocol extension was designed to simplify the login experience for smart TVs, IoT hardware, printers, and other input-constrained devices that lack a full browser or keyboard. It allows users to use a nearby smartphone or PC for authorizing these devices to access their accounts.

Read more…
Source:  Kaspersky


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • Spanish Globalcaja bank confirms ransomware attack

    June 5, 2023

    A prominent Spanish bank has confirmed that it is dealing with a ransomware attack that has impacted multiple branches. On Friday, Globalcaja issued a statement assuring customers that the incident has not impacted its entities’ operations, and that electronic banking and ATM services are still functioning. Read more… Source: Computing News  

  • Microsoft says Clop ransomware gang is behind MOVEit mass-hacks, as first victims come forward

    June 5, 2023

    Security researchers have linked to the notorious Clop ransomware gang a new wave of mass-hacks targeting a popular file transfer tool, as the first victims of the attacks begin to come forward. It was revealed last week that hackers are exploiting a newly discovered vulnerability in MOVEit Transfer, a file-transfer tool widely used by enterprises to ...

  • Android apps with 30 million downloads contain SpinOk Android malware — delete these now

    June 5, 2023

    Following the discovery that over a hundred Android apps with 400 million combined downloads actually contained the SpinOk malware, security researchers have now found that an additional 92 apps are also affected. For those unaware, SpinOk is a spyware module that was being distributed as a software development kit (SDK) for advertisers. First discovered by the ...

  • Satacom delivers browser extension that steals cryptocurrency

    June 5, 2023

    Satacom downloader, also known as LegionLoader, is a renowned malware family that emerged in 2019. It is known to use the technique of querying DNS servers to obtain the base64-encoded URL in order to receive the next stage of another malware family currently distributed by Satacom. The Satacom malware is delivered via third-party websites. Some of ...

  • CISA Adds Two Known Exploited Vulnerabilities to Catalog

    June 5, 2023

    CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2023-33009 Zyxel Multiple Firewalls Buffer Overflow Vulnerability Read more… Source: U.S. Cybersecurity and Infrastructure Security Agency  

  • Swiss administration hit by cyber attack

    June 3, 2023

    Swiss authorities are investigating a cyber attack on the IT company Xplain, whose clients include many federal and cantonal government departments, including the army and customs. The online attack was revealed on Saturday by the newspaper Le Temps, which reported that “several cantonal police forces, the Swiss army and the Federal Office of Police (Fedpol) have ...