[Egypt] spear phishing via oauth tokens

Subject: [Egypt] spear phishing via oauth tokens
From: rsw@therandymon.com (RS Wood)
Newsgroups: dictator.mideast
Organization: solani.org
Date: Mar 08 2019 04:14:13

An anonymous reader quotes a report from ZDNet:

Members of Amnesty International say that Egyptian authorities are
behind a recent wave of spear-phishing attacks that have targeted
prominent local human rights defenders, media, and civil society
organizations' staff. The attacks used a relatively new spear-phishing
technique called "OAuth phishing," Amnesty experts said. OAuth phishing
is when attackers aim to steal a user account's OAuth token instead of
the account password. When a user grants a third-party app the right to
access their account, the app receives an OAuth token instead of the
user's password.

These tokens work as authorization until the user revokes their access.
Amnesty investigators said that in the recent spear-phishing campaign
that targeted Egyptian activists, authorities created Gmail third-party
apps through which they gained access to victim's accounts. Victims
would receive an email that looked like a legitimate Gmail security
alert. But when they clicked the link, they'd be redirected to a page
where a third-party app would request access to their account. Once the
victim granted the app access to their Gmail account, the user would be
redirected to the account's legitimate security settings page where
they'd be left to change their password. Even if the victim changes
their password, at this point, the phishers would still have access to
the account via the newly acquired OAuth token.

The Amnesty International report says the spear-phishing campaign also
targeted Yahoo, Outlook and Hotmail users.

Date Subject  Author
08.03. o [Egypt] spear phishing via oauth tokensRS Wood

This forum property of The Dictator's Handbook. Please read our charter.