https://www.theregister.com/2023/12/14/moneygrubbing_crooks_abuse_oauth_apps
"Multiple miscreants are misusing OAuth to automate financially
motivated cyber crimes – such as business email compromise (BEC),
phishing, large-scale spamming campaigns – and deploying virtual
machines to illicitly mine for cryptocurrencies, according to Microsoft."
"one cyber crime crew [snip] used a compromised account to create an
OAuth application and deploy VMs for crypto mining, while also racking
up between $10,000 and $1.5 million in Azure compute fees."
"A different cybercrime gang [snip] abused OAuth applications for a
massive spamming campaign after compromising email accounts with
password spraying. Most of the compromised accounts did not have
multi-factor authentication enabled."
"in yet another case of using compromised accounts to create OAuth applications, [snip] an unnamed criminal launched a phishing campaign,
sending 'a significant number of emails' to multiple organizations."
The phishing e-mails contain several easily recognized subject lines:
<quote>
* <Username> shared “<Username> contracts” with you.
* <Username> shared “<User domain>” with you.
* OneDrive: You have received a new document today
* <Username> Mailbox password expiry
* Mailbox password expiry
* <Username> You have Encrypted message
* Encrypted message received
</quote>
"The emails contained a malicious URL leading to an attacker-controlled
proxy service that sits between the victim and the legitimate Microsoft
sign-in page. This type of man-in-the-middle or adversary-in-the-middle
attack allows the crooks to steal the token from the user's session cookie."
"These stolen tokens can then be abused for session cookie replay activity."
Seems OAuth isn't much better than user+passphrase over a secure connection.
The article recommends Multi-Factor Authentiction (MFA) as a way of
mitigating. I recently had to do this with my github login.
Fortunately there is a simple 'TOTP' plugin (called 'TOTP' i.e. what it
says on the tin) for Firefox, and the command line token does not seem
to have changed. SO, when I enter user/pass for github in a browser, I
get a new page to enter a code. I hit the TOTP button in the tool area
at the top, and click once on the code, then paste the text into the
login box. So all good. Had to jump through some minor hoops and do
head scratching to set it up, but now that it is set up, no problem.
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)