CyberSecurityBoard
Sponsor Register Login

Money-grubbing crooks abuse OAuth apps for BEC, phishing The Register

Multiple miscreants are misusing OAuth to automate financially motivated cyber crimes - such as business email compromise, phishing, large-scale spamming campaigns - and deploying virtual machines to illicitly mine for cryptocurrencies, according to Microsoft.
OAuth, short for Open Authorization, is an open standard for token-based access delegation, allowing applications to access resources and data hosted by other web apps.
Microsoft's identity platform uses OAuth 2.0 for handling authorization.
Like almost any software, it can be abused for nefarious purposes.
OAuth is an especially appealing target for criminals in cases where compromised accounts don't have strong authentication in place, and user permissions allow them to create or modify OAuth applications.
Microsoft, in a threat intel report, details one cyber crime crew it tracks as Storm-1283 that used a compromised account to create an OAuth application and deploy VMs for crypto mining, while also racking up between $10,000 and $1.5 million in Azure compute fees.
The crew also took advantage of other OAuth applications that the compromised user could access, and added new credentials to those apps to expand its mining capabilities.
The crims started with a small set of VMs before returning to deploy more.
A different cybercrime gang, Storm-1286, abused OAuth applications for a massive spamming campaign after compromising email accounts with password spraying.
Most of the compromised accounts did not have multi-factor authentication enabled.
The criminals used compromised accounts to create more new OAuth applications using Azure PowerShell or a Swagger Codegen-based client.
The attackers used the compromised email accounts to grant permission to the new apps.
The emails contained a malicious URL leading to an attacker-controlled proxy service that sits between the victim and the legitimate Microsoft sign-in page.
This type of man-in-the-middle or adversary-in-the-middle attack allows the crooks to steal the token from the user's session cookie.
These stolen tokens can then be abused for session cookie replay activity.
Microsoft also published a set of incident response playbooks for App consent grant investigation and compromised and malicious applications investigation to help security teams respond more quicky to these types of threats.


This Cyber News was published on go.theregister.com. Publication date: Thu, 14 Dec 2023 12:13:05 +0000


Cyber News related to Money-grubbing crooks abuse OAuth apps for BEC, phishing The Register

What SOCs Need to Know About Water Dybbuk - According to the Federal Bureau of Investigation, BEC costs victims more money than ransomware, with an estimated US$2.4 billion being lost to BEC in the US in 2021. Recently, BEC scammers have been using stolen accounts from legitimate Simple Mail ...
1 year ago Trendmicro.com
Threat actors misuse OAuth applications to automate financially driven attacks - Threat actors are misusing OAuth applications as an automation tool in financially motivated attacks. Threat actors compromise user accounts to create, modify, and grant high privileges to OAuth applications that they can misuse to hide malicious ...
6 months ago Microsoft.com
Attackers Target Microsoft Accounts to Weaponize OAuth Apps - Threat actors are abusing organizations' weak authentication practices to create and exploit OAuth applications, often for financial gain, in a string of attacks that include various vectors, including cryptomining, phishing, and password spraying. ...
6 months ago Darkreading.com
Money-grubbing crooks abuse OAuth apps for BEC, phishing The Register - Multiple miscreants are misusing OAuth to automate financially motivated cyber crimes - such as business email compromise, phishing, large-scale spamming campaigns - and deploying virtual machines to illicitly mine for cryptocurrencies, according to ...
6 months ago Go.theregister.com
Concerned About Business Email Compromise? 4 Technologies That Can Help - Business email compromise is a sophisticated form of cybercrime that targets commercial, governmental and non-profit organizations. The cybercriminal impersonates a senior executive or a key vendor and sends an email to an unsuspecting employee with ...
6 months ago Securityboulevard.com
Microsoft warning: These phishing attackers used fake OAuth apps to steal email - Microsoft has warned that fraudulent Microsoft Partner Network accounts were used in a phishing campaign that featured bogus apps that tricked victims into granting them permissions to access their email accounts. The attackers used the fraudulent ...
1 year ago Zdnet.com
Hackers Abuse OAuth Applications to Automated Finacial Attacks - OAuth is an industry-standard protocol that allows third-party applications to access a user's data without exposing login credentials. This standard protocol facilitates secure authorization and authentication, commonly used to access resources on ...
6 months ago Cybersecuritynews.com
Microsoft: OAuth apps used to automate BEC and cryptomining attacks - Microsoft warns that financially-motivated threat actors are using OAuth applications to automate BEC and phishing attacks, push spam, and deploy VMs for cryptomining. OAuth is an open standard for granting apps secure delegated access to server ...
6 months ago Bleepingcomputer.com
Microsoft Disables Verified Partner Accounts Used for OAuth Phishing - Microsoft has disabled multiple fraudulent, verified Microsoft Partner Network accounts for creating malicious OAuth applications that breached organizations cloud environments to steal email. In a joint announcement between Microsoft and Proofpoint, ...
1 year ago Bleepingcomputer.com
Data thieves abuse Microsoft's 'verified publisher' status The Register - Miscreants using malicious OAuth applications abused Microsoft's "Verified publisher" status to gain access to organizations' cloud environments, then steal data and pry into to users' mailboxes, calendars, and meetings. According to researchers with ...
1 year ago Packetstormsecurity.com
Spear Phishing vs Phishing: What Are The Main Differences? - Almost half of them used phishing to obtain the passwords of users. Highly targeted phishing campaigns against specific individuals or types of individuals are known as spear phishing. It's important to be able to spot phishing in general. For ...
4 months ago Techrepublic.com
Attackers abuse OAuth apps to initiate large-scale cryptomining and spam campaigns - Attackers are compromising high-privilege Microsoft accounts and abusing OAuth applications to launch a variety of financially-motivated attacks. OAuth is an open standard authentication protocol that uses tokens to grant applications access to ...
6 months ago Helpnetsecurity.com
Flipping the BEC funnel: Phishing in the age of GenAI - For years, phishing was just a numbers game: A malicious actor would slap together an extremely generic email and fire it out to thousands of recipients in the hope that a few might take the bait. Common among these new techniques was a shift towards ...
5 months ago Helpnetsecurity.com
Latest Information Security and Hacking Incidents - User data security has grown critical in an era of digital transactions and networked apps. The misuse of OAuth applications is a serious danger that has recently attracted attention in the cybersecurity field. OAuth is a widely used authentication ...
6 months ago Cysecurity.news
Hackers Abused Microsoft's "Verified Publisher" OAuth Apps to Hack Corporate Email Accounts - Microsoft on Tuesday said it took steps to disable fake Microsoft Partner Network accounts that were used for creating malicious OAuth applications as part of a malicious campaign designed to breach organizations' cloud environments and steal email. ...
1 year ago Thehackernews.com
What Is OAuth 2.0? - Scope of Access: Before OAuth, the meal planning app might have access to data that the user did not actually wish to share. No Way to Revoke Access: Before OAuth, the user could not easily restrict or revoke the meal planning app's access to their ...
5 months ago Feeds.dzone.com
Threat Actors Exploit Microsoft Verified Publisher Status to Abuse OAuth Privileges - Researchers from cybersecurity firm Proofpoint have discovered a new threat campaign involving malicious third-party OAuth apps that are used to infiltrate organizations cloud environments. Threat actors abused Microsofts Verified publisher status, ...
1 year ago Csoonline.com
CyberCrime & Doing Time: Identification Documents: an Obsolete Fraud Countermeasure - When I'm talking to bankers and other fraud fighters, I often mention how easy it is for a criminal to obtain a Drivers License bearing any information they desire. In the new case, Brianna Mills, a 28-year old bank teller in Loganville, Georgia ...
4 months ago Garwarner.blogspot.com
Business Email Compromise Scams: Prevention and Response - We will also highlight red flags to watch out for in suspicious emails, emphasizing the importance of implementing robust email authentication methods and comprehensive employee training programs to enhance awareness and response capabilities. BEC ...
5 months ago Securityzap.com
ChatGPT Clone Apps Collecting Personal Data on iOS, Play Store - On Android devices, one of the apps analyzed by researchers has more than 100,000 downloads, tracks, and shares location data with ByteDance and Amazon, etc. ChatGPT, the AI software, has already taken the Internet by storm, and that is why ...
1 year ago Hackread.com
Data Insecurity: Experts Sound the Alarm on 4 Apps Putting User Privacy at Risk - Even though many of us rely on apps to entertain us, guide us, manage our exercise, and connect with family and friends, they are notoriously hard to trust. In an age when technology is constantly evolving, it is almost impossible to tell if a ...
6 months ago Cysecurity.news
Combat Phishing Attacks With AI-Powered Threat Protection - According to statistics, 81% of organizations have seen an increase in phishing emails since 2020, with an estimated 3.4 billion emails sent every day. AI-generated phishing emails are a sophisticated and evolving cybersecurity threat. ...
4 months ago Gbhackers.com
CyberCrime & Doing Time: Classic Baggie: A Delaware BEC Case calls him the leader of an International Criminal Organization - The U.S. Attorney's office in Delaware charged Olugbenga Lawal with being a major money launderer for a Nigerian-based international criminal organization that specialized in Business Email Compromise and Romance Scam. The Defendant's importance in ...
5 months ago Garwarner.blogspot.com
CVE-2016-4839 - The Android Apps Money Forward (prior to v7.18.0), Money Forward for The Gunma Bank (prior to v1.2.0), Money Forward for SHIGA BANK (prior to v1.2.0), Money Forward for SHIZUOKA BANK (prior to v1.4.0), Money Forward for SBI Sumishin Net Bank (prior ...
3 years ago
CVE-2016-4838 - The Android Apps Money Forward (prior to v7.18.0), Money Forward for The Gunma Bank (prior to v1.2.0), Money Forward for SHIGA BANK (prior to v1.2.0), Money Forward for SHIZUOKA BANK (prior to v1.4.0), Money Forward for SBI Sumishin Net Bank (prior ...
3 years ago

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)