1. Forum
  2. Usenet
  3. ALT.HACKER

  • E-mail phishing and crypto mining cracks via rogue OAuth bots

    From Big Bad Bombastic Bob@21:1/5 to All on Thu Dec 14 10:04:20 2023
    https://www.theregister.com/2023/12/14/moneygrubbing_crooks_abuse_oauth_apps

    "Multiple miscreants are misusing OAuth to automate financially
    motivated cyber crimes – such as business email compromise (BEC),
    phishing, large-scale spamming campaigns – and deploying virtual
    machines to illicitly mine for cryptocurrencies, according to Microsoft."

    "one cyber crime crew [snip] used a compromised account to create an
    OAuth application and deploy VMs for crypto mining, while also racking
    up between $10,000 and $1.5 million in Azure compute fees."

    "A different cybercrime gang [snip] abused OAuth applications for a
    massive spamming campaign after compromising email accounts with
    password spraying. Most of the compromised accounts did not have
    multi-factor authentication enabled."

    "in yet another case of using compromised accounts to create OAuth applications, [snip] an unnamed criminal launched a phishing campaign,
    sending 'a significant number of emails' to multiple organizations."

    The phishing e-mails contain several easily recognized subject lines:

    <quote>

    * <Username> shared “<Username> contracts” with you.
    * <Username> shared “<User domain>” with you.
    * OneDrive: You have received a new document today
    * <Username> Mailbox password expiry
    * Mailbox password expiry
    * <Username> You have Encrypted message
    * Encrypted message received

    </quote>

    "The emails contained a malicious URL leading to an attacker-controlled
    proxy service that sits between the victim and the legitimate Microsoft
    sign-in page. This type of man-in-the-middle or adversary-in-the-middle
    attack allows the crooks to steal the token from the user's session cookie."

    "These stolen tokens can then be abused for session cookie replay activity."


    Seems OAuth isn't much better than user+passphrase over a secure connection.

    The article recommends Multi-Factor Authentiction (MFA) as a way of
    mitigating. I recently had to do this with my github login.
    Fortunately there is a simple 'TOTP' plugin (called 'TOTP' i.e. what it
    says on the tin) for Firefox, and the command line token does not seem
    to have changed. SO, when I enter user/pass for github in a browser, I
    get a new page to enter a code. I hit the TOTP button in the tool area
    at the top, and click once on the code, then paste the text into the
    login box. So all good. Had to jump through some minor hoops and do
    head scratching to set it up, but now that it is set up, no problem.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)