When checking the URL isn’t enough: a Device Code Phishing attack via a Microsoft website


One of the most common pieces of anti-phishing advice is to double-check the website’s domain name before providing your credentials. Typically, a fraudulent domain stands out to the trained eye, differing from the official URL by at least a few characters. Recently, however, Kaspersky encountered a campaign where attackers instruct victims to input data directly into a legitimate, trusted corporate site: the Microsoft Identity Platform, which supports an OAuth 2.0 specification known as the Device Authorization Grant.

This specific protocol extension was designed to simplify the login experience for smart TVs, IoT hardware, printers, and other input-constrained devices that lack a full browser or keyboard. It allows users to use a nearby smartphone or PC for authorizing these devices to access their accounts.

Read more…
Source:  Kaspersky


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • As cyber criminals start targeting retail, companies must be ready to fight back

    December 20, 2022

    Given the current geopolitical situation, it’s easy to conflate cybersecurity with the war in Ukraine and bad actors overseas. Historically, cyber-attacks have traditionally been associated with nation states and hacktivists conducting high-profile attacks on high-profile targets to wreak havoc, make headlines, and draw attention to their cause. However, the current cyber-security landscape is far murkier ...

  • Raspberry Robin Malware Targets Telecom, Governments

    December 20, 2022

    Trend Micro researchers found a malware sample allegedly capable of connecting to the Tor network to deliver its payloads. Their initial analysis of the malware, which compromised a number of organizations toward the end of September, showed that while the main malware routine contains both the real and fake payloads, it loads the fake payload ...

  • Russia’s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine

    December 20, 2022

    Since Unit 42 last blog in early February covering the advanced persistent threat (APT) group Trident Ursa (aka Gamaredon, UAC-0010, Primitive Bear, Shuckworm), Ukraine and its cyber domain has faced ever-increasing threats from Russia. Trident Ursa is a group attributed by the Security Service of Ukraine to Russia’s Federal Security Service. As the conflict has continued ...

  • XLLing in Excel – threat actors using malicious add-ins

    December 20, 2022

    For decades, Microsoft Office applications have served as one of the most significant entry points for malicious code. Malicious actors have continued to utilize Visual Basic for Applications (VBA) macros, despite automatic warnings to users after opening Office documents containing code. In addition to VBA macros, malicious actors, from cybercrime actors to state-sponsored groups, also exploited ...

  • Diving into an Old Exploit Chain and Discovering 3 new SIP-Bypass Vulnerabilities

    December 20, 2022

    More than two years ago, a researcher, A2nkF, published the details of an interesting exploit chain on the Objective-See blog. He demonstrated the exploit chain from root privilege escalation to SIP-Bypass up to arbitrary kernel extension loading. After diving into the second vulnerability of the exploit chain, Trend Micro researchers found that Apple’s patch for this issue is ...

  • Gatekeeper’s Achilles heel: Unearthing a macOS vulnerability

    December 19, 2022

    On July 27, 2022, Microsoft discovered a vulnerability in macOS that can allow attackers to bypass application execution restrictions imposed by Apple’s Gatekeeper security mechanism, designed to ensure only trusted apps run on Mac devices. We developed a proof-of-concept exploit to demonstrate the vulnerability, which we call “Achilles”. Gatekeeper bypasses such as this could be ...