When checking the URL isn’t enough: a Device Code Phishing attack via a Microsoft website


One of the most common pieces of anti-phishing advice is to double-check the website’s domain name before providing your credentials. Typically, a fraudulent domain stands out to the trained eye, differing from the official URL by at least a few characters. Recently, however, Kaspersky encountered a campaign where attackers instruct victims to input data directly into a legitimate, trusted corporate site: the Microsoft Identity Platform, which supports an OAuth 2.0 specification known as the Device Authorization Grant.

This specific protocol extension was designed to simplify the login experience for smart TVs, IoT hardware, printers, and other input-constrained devices that lack a full browser or keyboard. It allows users to use a nearby smartphone or PC for authorizing these devices to access their accounts.

Read more…
Source:  Kaspersky


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • Is your car safe from a cyber attack?

    May 17, 2023

    In January 2022, 19-year-old David Colombo from Dinkelsbühl, Germany, announced via Twitter that he had been able to hack at least 25 Tesla vehicles in 13 countries and partially take them over. “So, I now have full remote control of over 25 Teslas in 13 countries and there seems to be no way to find ...

  • CISA and Partners Release BianLian Ransomware Cybersecurity Advisory

    May 16, 2023

    CISA, the Federal Bureau of Investigation (FBI), and the Australian Cyber Security Centre (ACSC) have released a joint Cybersecurity Advisory (CSA) with known BianLian ransomware and data extortion group technical details. Microsoft and Sophos contributed to the advisory. To reduce the likelihood and impact of BianLian and other ransomware incidents, CISA encourages organizations to implement ...

  • Open-source Cobalt Strike port ‘Geacon’ used in macOS attacks

    May 16, 2023

    Geacon, a Go-based implementation of the beacon from the widely abused penetration testing suite Cobalt Strike, is being used more and more to target macOS devices. Both Geacon and Cobalt Strike are utilities that legitimate organizations use to simulate attacks against their networks and improve defenses, but threat actors have also relied on them for attacks. Read ...

  • Lancefly: Group Uses Custom Backdoor to Target Orgs in Government, Aviation, Other Sectors

    May 15, 2023

    The Lancefly advanced persistent threat (APT) group is using a custom-written backdoor in attacks targeting organizations in South and Southeast Asia, in activity that has been ongoing for several years. Lancefly may have some links to previously known groups, but these are low confidence, which led researchers at Symantec, by Broadcom Software, to classify this activity ...

  • Data of 5.82M PharMerica patients stolen, accessed during cyberattack

    May 15, 2023

    More than 5.81 million patients tied to PharMerica have been notified that their data was accessed and stolen during a March cyberattack. The long-term care pharmacy solution provider reported the breach to the Office of the Maine Attorney General on May 12. On March 14, PharMerica “learned of suspicious activity” on its network and worked to ...

  • CISA Adds Seven Known Exploited Vulnerabilities to Catalog

    May 12, 2023

    CISA has added seven new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2023-25717 Multiple Ruckus Wireless Products CSRF and RCE Vulnerability CVE-2021-3560 Red Hat Polkit Incorrect Authorization Vulnerability CVE-2014-0196 Linux Kernel Race Condition Vulnerability Read more… Source: U.S. Cybersecurity and Infrastructure Security Agency