When checking the URL isn’t enough: a Device Code Phishing attack via a Microsoft website


One of the most common pieces of anti-phishing advice is to double-check the website’s domain name before providing your credentials. Typically, a fraudulent domain stands out to the trained eye, differing from the official URL by at least a few characters. Recently, however, Kaspersky encountered a campaign where attackers instruct victims to input data directly into a legitimate, trusted corporate site: the Microsoft Identity Platform, which supports an OAuth 2.0 specification known as the Device Authorization Grant.

This specific protocol extension was designed to simplify the login experience for smart TVs, IoT hardware, printers, and other input-constrained devices that lack a full browser or keyboard. It allows users to use a nearby smartphone or PC for authorizing these devices to access their accounts.

Read more…
Source:  Kaspersky


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • COVID-19: Cloud Threat Landscape

    May 4, 2020

    Unit 42 researchers analyzed 1.2 million newly observed hostnames (NOH) containing keywords related to the COVID-19 pandemic from March 9, 2020 to April 26, 2020 (7 weeks). 86,600+ fully qualified domain names are classified as  “high-risk” or “malicious” (C2, malware, or phishing), spread across various regions , as shown in Figure 1. The United States ...

  • Oracle: Unpatched Versions of WebLogic App Server Under Active Attack

    May 4, 2020

    Oracle is urging customers to fast-track a patch for a critical flaw in its WebLogic Server under active attack. The company said it has received numerous reports that attackers were targeting the vulnerability patched last month. Oracle WebLogic Server is a popular application server used in building and deploying enterprise Java EE applications. The server has a remote ...

  • Airplane Hack Exposes Weaknesses of Alert and Avoidance Systems

    May 4, 2020

    The aircraft safety system known as the Traffic Alert and Collision Avoidance System (TCAS) can be coerced into sending an airplane on a mid-air rollercoaster ride – much to the horror of those onboard. Researchers were able to cobble together an effective method for spoofing the TCAS using a $10 USB-based Digital Video Broadcasting dongle and ...

  • TrickBot Attack Exploits COVID-19 Fears with DocuSign-Themed Ploy

    May 1, 2020

    Threat actors are using people’s interest in the Department of Labor’s Family and Medical Leave Act (FMLA) to spread what appears to be the TrickBot trojan in a new spam campaign that security researchers discovered recently. Recent analysis from spam honeypots set by IBM X-Force discovered actors targeting email recipients with fake messages that claim to ...

  • Upgraded Cerberus Spyware Spreads Rapidly via MDM

    May 1, 2020

    A newly discovered variant of the Cerberus Android trojan has been spotted, with vastly expanded and more sophisticated info-harvesting capabilities, and the ability to run TeamViewer. It was spotted by researchers being used in a targeted campaign on a multinational conglomerate. Unusually, the sample propagated through the employee pool via the infected company’s mobile device management ...

  • APT trends report Q1 2020

    April 30, 2020

    For more than two years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They ...