When checking the URL isn’t enough: a Device Code Phishing attack via a Microsoft website


One of the most common pieces of anti-phishing advice is to double-check the website’s domain name before providing your credentials. Typically, a fraudulent domain stands out to the trained eye, differing from the official URL by at least a few characters. Recently, however, Kaspersky encountered a campaign where attackers instruct victims to input data directly into a legitimate, trusted corporate site: the Microsoft Identity Platform, which supports an OAuth 2.0 specification known as the Device Authorization Grant.

This specific protocol extension was designed to simplify the login experience for smart TVs, IoT hardware, printers, and other input-constrained devices that lack a full browser or keyboard. It allows users to use a nearby smartphone or PC for authorizing these devices to access their accounts.

Read more…
Source:  Kaspersky


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • Norwegian student tracks Bluetooth headset wearers by wardriving around Oslo on a bicycle

    September 4, 2021

    A Norwegian student who went wardriving around Oslo on a pushbike has discovered that several popular models of Bluetooth headphones don’t implement MAC address randomisation – meaning they can be used to track their wearers. Norwegian state broadcaster NRK revealed Bjorn Hegnes’ findings after helping him analyse Bluetooth emissions from a dozen different models of audio ...

  • Analyzing SSL/TLS Certificates Used by Malware

    September 3, 2021

    Malware has increasingly been making use of encryption to help hide their network traffic in recent years. This makes sense especially when one realizes that ordinary network traffic is increasingly encrypted as well. Google’s own Transparency Report notes that HTTPS traffic now makes up the vast majority of network traffic passed via the Google Chrome ...

  • The Evolution of Connected Cars as Defined by Threat Modeling UN R155-Listed Attack Vectors

    September 3, 2021

    The United Nations Regulation No. 155 sets provisions for cybersecurity and cyber security management systems in vehicles. A notable section of the document is Annex 5, which lists 69 attack vectors affecting vehicle cybersecurity. In order to help organizations comply with this regulation, we conducted a threat modelling exercise on the defined attack vectors as ...

  • Threat Brief: CVE-2021-26084

    September 3, 2021

    On Aug. 25, 2021, Atlassian released a security advisory for an injection vulnerability in Confluence Server and Data Center, CVE-2021-26084. If the vulnerability is exploited, threat actors could bypass authentication and run arbitrary code on unpatched systems. Since the release of this advisory, mass scanning activity has started to occur, seeking unpatched systems, and in-the-wild ...

  • Conti ransomware now hacking Exchange servers with ProxyShell exploits

    September 3, 2021

    The Conti ransomware gang is hacking into Microsoft Exchange servers and breaching corporate networks using recently disclosed ProxyShell vulnerability exploits. ProxyShell is the name of an exploit utilizing three chained Microsoft Exchange vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) that allow unauthenticated, remote code execution on unpatched vulnerable servers. Read more… Source: Bleeping Computer  

  • Babuk ransomware’s full source code leaked on hacker forum

    September 3, 2021

    A threat actor has leaked the complete source code for the Babuk ransomware on a Russian-speaking hacking forum. Babuk Locker, also known internally as Babyk, is a ransomware operation launched at the beginning of 2021 when it began targeting businesses to steal and encrypt their data in double-extortion attacks. Read more… Source: Bleeping Computer