Beware of hackers using the OAuTH system to make phishing.

Malwarebytes warns. Beware of hackers using OAuTH to do phishing, tricking the release of malware.

OAuTH or Open Authorization may be a protocol that makes it easy to use applications that need to access data on the machine without any password, just choose whether to approve or disapprove, but this system that seems to be secure has been used by hackers.

According to a report by the official website of anti-malware developer Malwarebyte, a research team from Microsoft has detected hackers using OAuTh in combination with deception, causing victims to be deceived, phishing, or malware-addicted, by using Silent OAuth to help change the target of visiting websites (Redirect), bringing victims into infrastructure-linked websites that are unaware of the above crimes. Hackers do not have to steal tokens. The use of the victim is in any way. The procedure of the practice consists of multiple elements. This

First, a hacker sends a fraudulent email to the victim, saying that it comes from a government agency, social security, a tax agency, or a company that has a fraudulent link with a fraudster to open a document such as "View Document" or "Review Report," or a PDF file with a link inside it.

This is the link mentioned in the first verse, which usually makes a link for logging in to Google or Microsoft services. It usually starts a link similar to the common login of the two services, such as https: / / login [.] microsoftonline [.] com / or https: / / accounts [.] google [.] com /. At this point, there is no sign that the parameter (Parameter) like prompt = none, odd or empty scope, encoded state being put in is wrong.

Yet, in the URL parameters, there is a combination of Silent OAuth (prompt = none) with special parameters that will cause such procedures to fail (invalid or missing scope). At this point, the OAuth provider will have to recheck the session, including the Conditional Access condition, and the system will predict that the OAuth will not be silent as requested and then send back the OAuth error notification, such as interaction _ required, access _ tolerance, or consent _ required.

At this point, after sending the error back, by the design of this mechanism, the system will change the target of visiting a website on the web browser to the URI that the application associated with OAuth has registered, along with the state and error parameter. In this case, it will take the victim to the hacker's fraudulent domain. But from the user's point of view, it will be like switching a visit page from Google or Microsoft to a new page without seeing the error string.

The landing page that the victim is brought to is a website that actually mimics the login page or the website of a famous business brand. At this point, the victim can find two patterns.

The first is a Phishing scam page or an Attacker in the Middle or AitM page that comes with a login page that looks nothing wrong. Some pages also come with a Captcha authentication system for realism. If the victim enters a password with a Multi-Factors Authentication or MFA, the AitM tool captures information including information in the Session Cookies.

A malware download page with both automatic download and lure the victim to download it with buttons on the page, such as "Download the secure document" or "Meeting resources," etc.

As a result of such a form of deception, hackers behind it have a code to use the victim's accounts or may come in the form of a backdoor malware embedding. Therefore, for security purposes, users must avoid clicking any links before clicking. Make sure to check every time. If you click and find anything wrong, immediately close the tab or web browser, as well as regularly update the operating system, web browser, and cybersecurity tools to help protect the other layer.

# Trending # Lemon 8 Howtoo # lemon 8 diary # oauth # freedomhack