When checking the URL isn’t enough: a Device Code Phishing attack via a Microsoft website


One of the most common pieces of anti-phishing advice is to double-check the website’s domain name before providing your credentials. Typically, a fraudulent domain stands out to the trained eye, differing from the official URL by at least a few characters. Recently, however, Kaspersky encountered a campaign where attackers instruct victims to input data directly into a legitimate, trusted corporate site: the Microsoft Identity Platform, which supports an OAuth 2.0 specification known as the Device Authorization Grant.

This specific protocol extension was designed to simplify the login experience for smart TVs, IoT hardware, printers, and other input-constrained devices that lack a full browser or keyboard. It allows users to use a nearby smartphone or PC for authorizing these devices to access their accounts.

Read more…
Source:  Kaspersky


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • Office 365 Phishing Campaign Uses Kaspersky’s Amazon SES Token

    November 1, 2021

    A surge in spearphishing emails designed to steal Office 365 credentials were rigged to look like they came from a Kaspersky email address. In spite of coming from sender addresses such as [email protected], nobody at Kaspersky sent the phishing emails, the security company said in an advisory issued on Monday. Rather, the emails were sent with ...

  • Europol: 12 Targeted For Involvement In Ransomware Attacks Against Critical Infrastructure

    October 29, 2021

    A total of 12 individuals wreaking havoc across the world with ransomware attacks against critical infrastructure have been targeted as the result of a law enforcement and judicial operation involving eight countries. These attacks are believed to have affected over 1 800 victims in 71 countries. These cyber actors are known for specifically targeting large corporations, ...

  • TrickBot malware dev extradited to U.S. faces 60 years in prison

    October 29, 2021

    A Russian national believed to be a member of the TrickBot malware development team has been extradited to the U.S. and is currently facing charges that could get him 60 years in prison. 38-year old Vladimir Dunaev, also known as FFX, was a malware developer that supervised the creation of TrickBot’s browser injection module, the indictment ...

  • Schreiber Foods back to normal after ransomware attack shuts down milk plants

    October 29, 2021

    Schreiber Foods said its plants and distribution centers are back up and running after a ransomware attack took down their systems earlier last weekend. The food production giant became the latest critical industry company to be hit with ransomware in recent months as cybercriminals continue to show little fear in attacking a variety of industries. Schreiber ...

  • Suspected REvil Gang Insider Identified

    October 28, 2021

    He lolls around on yachts, wears a luxury watch with a Bitcoin address engraved on its dial, and is suspected of buying it all with money he made as a core member of the REvil ransomware gang. The showy billionaire goes by “Nikolay K.”on social media, and German police are hoping he’ll cruise out of Russia ...

  • Network Scanning Traffic Observed in Public Clouds

    October 28, 2021

    Tracking network scanning activities can help researchers understand which services are being targeted. By monitoring the origins of the scanners, researchers can also identify compromised endpoints. If a host belonging to a known organization suddenly starts to scan a part of the internet, it is a strong indicator that the host is compromised. This blog summarizes ...