When checking the URL isn’t enough: a Device Code Phishing attack via a Microsoft website


One of the most common pieces of anti-phishing advice is to double-check the website’s domain name before providing your credentials. Typically, a fraudulent domain stands out to the trained eye, differing from the official URL by at least a few characters. Recently, however, Kaspersky encountered a campaign where attackers instruct victims to input data directly into a legitimate, trusted corporate site: the Microsoft Identity Platform, which supports an OAuth 2.0 specification known as the Device Authorization Grant.

This specific protocol extension was designed to simplify the login experience for smart TVs, IoT hardware, printers, and other input-constrained devices that lack a full browser or keyboard. It allows users to use a nearby smartphone or PC for authorizing these devices to access their accounts.

Read more…
Source:  Kaspersky


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • Crooks copy source code from Okta’s GitHub repository

    December 23, 2022

    Intruders copied source code belonging to Okta after breaching the identity management company’s GitHub repositories. Okta was alerted by Microsoft-owned GitHub earlier this month of “suspicious access” to its code repositories and determined that miscreants copied code associated with the company’s Workforce Identity Cloud (WIC), an enterprise-facing access and identity management tool to enable workers and ...

  • Ransomware and wiper signed with stolen certificates

    December 22, 2022

    On July 17, 2022, Albanian news outlets reported a massive cyberattack that affected Albanian government e-services. A few weeks later, it was revealed that the cyberattacks were part of a coordinated effort likely intended to cripple the country’s computer systems. On September 10, 2022, Albanian local news reported a second wave of cyberattacks targeting Albania’s ...

  • OpenImageIO file processing issues could lead to arbitrary code execution, sensitive information leak and denial of service

    December 22, 2022

    Cisco Talos recently discovered nineteen vulnerabilities in OpenImageIO, an image processing library, which could lead to sensitive information disclosure, denial of service and heap buffer overflows which could further lead to code execution. OpenImageIO is an image processing library useful for conversion and processing, as well as image comparison. This library is utilized by 3D-processing software ...

  • Vice Society ransomware gang switches to new custom encryptor

    December 22, 2022

    The Vice Society ransomware operation has switched to using a custom ransomware encrypt that implements a strong, hybrid encryption scheme based on NTRUEncrypt and ChaCha20-Poly1305. According to cybersecurity firm SentinelOne, which discovered the new strain and named it “PolyVice,” it’s likely that Vice Society sourced it from a vendor who supplies similar tools to other ransomware ...

  • After ransomware hits Colombian energy firm, Moody’s says low patch rate suggests inadequacies in cyber practices

    December 22, 2022

    A ransomware attack at top Colombian energy company Empresas Publicas de Medellin (EPM) may damage its credit quality, setting an alarm clock for the critical infrastructure industry to develop efficient mitigation practices and vulnerability management programs, Moody’s said. EPM, one of Colombia’s largest public energy, water, and gas providers suffered from a ransomware attack reported on ...

  • FIN7 hackers create auto-attack platform to breach Exchange servers

    December 22, 2022

    The notorious FIN7 hacking group uses an automated attack system that exploits Microsoft Exchange and SQL injection vulnerabilities to breach corporate networks, steal data, and select targets for ransomware attacks based on financial size. This system was discovered by Prodaft’s threat intelligence team, which has been closely following FIN7 operations for years now. In a report shared ...