When checking the URL isn’t enough: a Device Code Phishing attack via a Microsoft website


One of the most common pieces of anti-phishing advice is to double-check the website’s domain name before providing your credentials. Typically, a fraudulent domain stands out to the trained eye, differing from the official URL by at least a few characters. Recently, however, Kaspersky encountered a campaign where attackers instruct victims to input data directly into a legitimate, trusted corporate site: the Microsoft Identity Platform, which supports an OAuth 2.0 specification known as the Device Authorization Grant.

This specific protocol extension was designed to simplify the login experience for smart TVs, IoT hardware, printers, and other input-constrained devices that lack a full browser or keyboard. It allows users to use a nearby smartphone or PC for authorizing these devices to access their accounts.

Read more…
Source:  Kaspersky


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • TrickBot’s new module aims to infect your UEFI firmware

    December 3, 2020

    The developers of TrickBot have created a new module that probes for UEFI vulnerabilities, demonstrating the actor’s effort to take attacks at a level that would give them ultimate control over infected machines. With access to UEFI firmware, a threat actor would establish on the compromised machine persistence that resists operating system reinstalls or replacing of ...

  • Phishing campaign targets organizations in COVID-19 vaccine cold chain

    December 3, 2020

    IBM’s cyber-security division says that hackers are targeting companies associated with the storage and transportation of COVID-19 vaccines using temperature-controlled environments — also known as the COVID-19 vaccine cold chain. The attacks consisted of spear-phishing emails seeking to collect credentials for a target’s internal email and applications. Targets of the attacks included a wide variety of companies, ...

  • Ransomware gang says they stole 2 million credit cards from E-Land

    December 3, 2020

    Clop ransomware is claiming to have stolen 2 million credit cards from E-Land Retail over a one-year period ending with last months ransomware attack. E-Land Retail, a subsidiary of E-Land Global, operates numerous retail clothing stores, including New Core and NC Department Store. Last month, E-Land Retail had to shut down 23 NC Department Store and New ...

  • From Geost to Locker: Monitoring the Evolution of Android Malware Obfuscation

    December 3, 2020

    In 2019, I looked into Geost, an Android trojan with interesting layers of obfuscation. This entry serves to show how its obfuscation method has evolved by comparing my findings from 2019 with new samples from 2020. It is also part of a larger research endeavor done with Masarah Paquet-Clouston, Maria Jose Erquiaga, and Sebastian Garcia. Our ...

  • Kmart, Latest Victim of Egregor Ransomware

    December 3, 2020

    Retail stalwart Kmart has suffered a ransomware attack at the hands of the Egregor gang, according to a report. The incident has encrypted devices and servers connected to the company’s networks, knocking out back-end services, according to BleepingComputer. The outlet obtained the purported ransom note that claims to have compromised Kmart’s Windows domain. The company was purchased ...

  • APT annual review: What the world’s threat actors got up to in 2020

    December 3, 2020

    Beyond Windows While Windows continues to be the main focus for APT threat actors, we have observed a number of non-Windows developments this year. Last year we reported a malware framework called MATA that we attribute to Lazarus. This framework included several components such as a loader, orchestrator and plug-ins. In April, we learned that MATA ...