When checking the URL isn’t enough: a Device Code Phishing attack via a Microsoft website


One of the most common pieces of anti-phishing advice is to double-check the website’s domain name before providing your credentials. Typically, a fraudulent domain stands out to the trained eye, differing from the official URL by at least a few characters. Recently, however, Kaspersky encountered a campaign where attackers instruct victims to input data directly into a legitimate, trusted corporate site: the Microsoft Identity Platform, which supports an OAuth 2.0 specification known as the Device Authorization Grant.

This specific protocol extension was designed to simplify the login experience for smart TVs, IoT hardware, printers, and other input-constrained devices that lack a full browser or keyboard. It allows users to use a nearby smartphone or PC for authorizing these devices to access their accounts.

Read more…
Source:  Kaspersky


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • Ransomware gang demands $7.5 million from Argentinian ISP

    July 20, 2020

    A ransomware gang has infected the internal network of Telecom Argentina, one of the country’s largest internet service providers, and is now asking for a $7.5 million ransom demand to unlock encrypted files. The incident took place over the weekend, on Saturday, July 18, and is considered one of Argentina’s biggest hacks. Sources inside the ISP said ...

  • Emotet-TrickBot malware duo is back infecting Windows machines

    July 20, 2020

    After awakening last week and starting to send spam worldwide, Emotet is now once again installing the TrickBot trojan on infected Windows computers. On July 17th, 2020, after over five months of inactivity, the Emotet Trojan woke up and started massive spam campaigns pretending to be payment reports, invoices, shipping information, and employment opportunities. These spam emails ...

  • Windows 10 Store ‘wsreset’ tool lets attackers bypass antivirus

    July 20, 2020

    A technique that exploits Windows 10 Microsoft Store called ‘wsreset.exe’ can delete bypass antivirus protection on a host without being detected. Wsreset.exe is a legitimate troubleshooting tool that lets users diagnose problems with the Windows Store and reset its cache. Pentester and researcher Daniel Gebert has discovered that wsreset.exe can be abused to delete arbitrary files. As wsreset.exe ...

  • Twitter Hack Update: What We Know (and What We Don’t)

    July 17, 2020

    Earlier this week, Twitter locked down thousands of verified accounts, including the accounts of Joe Biden, Bill Gates, Elon Musk, Apple, Uber and others, after it became clear that hackers had been able to compromise them. The tip-off? Suddenly these high-profile accounts were all tweeting out identical links to a cryptocurrency scam. But what exactly happened? ...

  • Thousands of Vulnerable F5 BIG-IP Users Still Open to Takeover

    July 17, 2020

    About 8,000 users of F5 Networks’ BIG-IP family of networking devices are still vulnerable to full system access and remote code-execution (RCE), despite a patch for a critical flaw being available for two weeks. The BIG-IP family consists of application delivery controllers, Local Traffic Managers (LTMs) and domain name system (DNS) managers, together offering built-in security, ...

  • Emotet spam trojan surges back to life after 5 months of silence

    July 17, 2020

    After months of inactivity, the notorious Emotet spamming trojan has come alive again as it spews out a massive campaign of malicious emails targeting users worldwide. Emotet is a malware infection that spreads through spam emails containing malicious Word or Excel documents. These documents utilize macros to download and install the Emotet Trojan on a victim’s ...