When checking the URL isn’t enough: a Device Code Phishing attack via a Microsoft website


One of the most common pieces of anti-phishing advice is to double-check the website’s domain name before providing your credentials. Typically, a fraudulent domain stands out to the trained eye, differing from the official URL by at least a few characters. Recently, however, Kaspersky encountered a campaign where attackers instruct victims to input data directly into a legitimate, trusted corporate site: the Microsoft Identity Platform, which supports an OAuth 2.0 specification known as the Device Authorization Grant.

This specific protocol extension was designed to simplify the login experience for smart TVs, IoT hardware, printers, and other input-constrained devices that lack a full browser or keyboard. It allows users to use a nearby smartphone or PC for authorizing these devices to access their accounts.

Read more…
Source:  Kaspersky


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • Probing Weaponized Chat Applications Abused in Supply-Chain Attacks

    December 14, 2022

    In late September 2022, threat researchers uncovered a supply-chain attack carried out by malicious actors using a trojanized installer of Comm100, a chat-based customer engagement application. Trend Micro investigation of the incident revealed that the breadth and depth of the campaign’s impact were greater than what the researchers had initially thought; Trend Micro researchers also ...

  • Hackers exploit critical Citrix ADC and Gateway zero day, patch now

    December 13, 2022

    Citrix strongly urges admins to apply security updates for an ‘Critical’ zero-day vulnerability (CVE-2022-27518) in Citrix ADC and Gateway that is actively exploited by state-sponsored hackers to gain access to corporate networks. This new vulnerability allows an unauthenticated attacker to execute commands remotely on vulnerable devices and take control over them. Citrix is warning admins to install ...

  • CISA Updates Advisory on #StopRansomware: Cuba Ransomware

    December 13, 2022

    The Federal Bureau of Investigation (FBI) and CISA have updated joint Cybersecurity Advisory AA22-335A: #StopRansomware: Cuba Ransomware, originally released on December 01, 2022. The advisory has been updated to include additional indicators of compromise (IOCs). CISA encourages organizations to review the latest update to AA22-335A and apply the recommended mitigations. Read more… Source: U.S. Cybersecurity and Infrastructure Security ...

  • Researchers smell a cryptomining Chaos RAT targeting Linux systems

    December 13, 2022

    A type of cryptomining malware targeting Linux-based systems has added capabilities by incorporating an open source remote access trojan called Chaos RAT with several advanced functions that bad guys can use to control remote operating systems. Trend Micro security researchers discovered the threat last month. Like earlier, similar versions of the miner that also target Linux ...

  • New Fortinet bug under active exploitation

    December 13, 2022

    Fortinet has warned customers to patch immediately against a new vulnerability it said is under active exploitation. The critical-rated vulnerability exists in a VPN product, FortiOS SSL-VPN. In its advisory, the company said the bug is a heap-based buffer overflow. Read more… Source: IT News  

  • IIS modules: The evolution of web shells and how to detect them

    December 12, 2022

    Web exploitation and web shells are some of the most common entry points in the current threat landscape. Web servers provide an external avenue directly into your corporate network, which often results in web servers being an initial intrusion vector or mechanism of persistence. Monitoring for exploitation and web shells should be a high priority ...