When checking the URL isn’t enough: a Device Code Phishing attack via a Microsoft website


One of the most common pieces of anti-phishing advice is to double-check the website’s domain name before providing your credentials. Typically, a fraudulent domain stands out to the trained eye, differing from the official URL by at least a few characters. Recently, however, Kaspersky encountered a campaign where attackers instruct victims to input data directly into a legitimate, trusted corporate site: the Microsoft Identity Platform, which supports an OAuth 2.0 specification known as the Device Authorization Grant.

This specific protocol extension was designed to simplify the login experience for smart TVs, IoT hardware, printers, and other input-constrained devices that lack a full browser or keyboard. It allows users to use a nearby smartphone or PC for authorizing these devices to access their accounts.

Read more…
Source:  Kaspersky


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • CISA Adds Three Known Exploited Vulnerabilities to Catalog  

    June 9, 2022

    CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise. Note: to view the newly added vulnerabilities in the catalog, click on the arrow in the ...

  • New Linux malware is ‘almost impossible’ to detect

    June 9, 2022

    A joint research effort has led to the discovery of Symbiote, a new form of Linux malware that is “almost impossible” to detect. On Thursday, researchers from BlackBerry Threat Research & Intelligence team, together with Intezer security researcher Joakim Kennedy, published a blog post on the malware – dubbed Symbiote because of its “parasitic nature.” The team ...

  • Facebook phishing campaign nets millions in IDs and cash

    June 9, 2022

    An ongoing phishing campaign targeting Facebook users may have already netted hundreds of millions of credentials and a claimed $59 million, and it’s only getting bigger. Identified by security researchers at phishing prevention company Pixm in late 2021, the campaign has only been running since the final quarter of last year, but has already proven incredibly ...

  • CISA Adds 36 Known Exploited Vulnerabilities to Catalog 

    June 8, 2022

    CISA has added 36 new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise. Note: to view the newly added vulnerabilities in the catalog, click on the arrow in the ...

  • People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices

    June 8, 2022

    This joint Cybersecurity Advisory describes the ways in which People’s Republic of China (PRC) state-sponsored cyber actors continue to exploit publicly known vulnerabilities in order to establish a broad network of compromised infrastructure. These actors use the network to exploit a wide variety of targets worldwide, including public and private sector organizations. The advisory details the ...

  • Cuba ransomware returns to extorting victims with updated encryptor

    June 8, 2022

    The Cuba ransomware operation has returned to regular operations with a new version of its malware found used in recent attacks. Cuba ransomware’s activity reached a peak in 2021 when it partnered with the Hancitor malware gang for initial access. By the end of the year, it had breached 49 critical infrastructure organizations in the United ...