When checking the URL isn’t enough: a Device Code Phishing attack via a Microsoft website


One of the most common pieces of anti-phishing advice is to double-check the website’s domain name before providing your credentials. Typically, a fraudulent domain stands out to the trained eye, differing from the official URL by at least a few characters. Recently, however, Kaspersky encountered a campaign where attackers instruct victims to input data directly into a legitimate, trusted corporate site: the Microsoft Identity Platform, which supports an OAuth 2.0 specification known as the Device Authorization Grant.

This specific protocol extension was designed to simplify the login experience for smart TVs, IoT hardware, printers, and other input-constrained devices that lack a full browser or keyboard. It allows users to use a nearby smartphone or PC for authorizing these devices to access their accounts.

Read more…
Source:  Kaspersky


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • NATO investigates hacker sale of missile firm data

    August 26, 2022

    Nato is assessing the impact of a data breach of classified military documents being sold by a hacker group online. The data includes blueprints of weapons being used by Nato allies in the Ukraine war. Criminal hackers are selling the dossiers after stealing data linked to a major European weapons maker. MBDA Missile Systems admitted its data was ...

  • Twilio breach let hackers gain access to Authy 2FA accounts

    August 26, 2022

    Twilio’s investigation into the attack on August 4 reveals that hackers gained access to some Authy user accounts and registered unauthorized devices. Authy is a two-factor authentication (2FA) service from Twilio that allows users to secure their online accounts where the feature is supported by identifying a second time via a dedicated app after typing in ...

  • PyPI warns of first-ever phishing campaign against its users

    August 26, 2022

    The Python Package Index, better known among developers as PyPI, has issued a warning about a phishing attack targeting developers who use the service. The community-run organization said this is the first known phishing attack against PyPI users. And the attack has unfortunately been somewhat successful, resulting in the compromise of some users’ accounts. PyPI is an ...

  • Cyber criminals are launching phishing attacks on LinkedIn

    August 25, 2022

    Regular users of LinkedIn, the professional networking and social working platform, have noticed an increase of threat actors trying to steal critical personal information through phishing attacks. These cyber criminals are using false LinkedIn accounts to trick unsuspecting victims into giving up confidential information. How are they doing it? Threat actors start by creating fraudulent LinkedIn ...

  • MERCURY leveraging Log4j 2 vulnerabilities in unpatched systems to target Israeli organizations

    August 25, 2022

    In recent weeks, the Microsoft Threat Intelligence Center (MSTIC) and Microsoft 365 Defender Research Team detected Iran-based threat actor MERCURY leveraging exploitation of Log4j 2 vulnerabilities in SysAid applications against organizations all located in Israel. MSTIC assesses with high confidence that MERCURY’s observed activity was affiliated with Iran’s Ministry of Intelligence and Security (MOIS). While MERCURY ...

  • Kimsuky’s GoldDragon cluster and its C2 operations

    August 25, 2022

    Kimsuky (also known as Thallium, Black Banshee and Velvet Chollima) is a prolific and active threat actor primarily targeting Korea-related entities. Like other sophisticated adversaries, this group also updates its tools very quickly. In early 2022, Kaspersky researchers observed this group was attacking the media and a think-tank in South Korea and reported technical details ...