fraud

Multi-stage phishing that starts with real links

Kaspersky Lab experts detected a shifty scheme that allows fraudsters steal personal data without your login and password.

Marvin the Robot
June 4, 2015

Recently Kaspersky Lab experts have found a shifty method that allows fraudsters steal personal information without access to user’s login and password. The criminals don’t try to steal the victim’s credential — they act much smarter instead.

Victims receive email letters with request to follow the link to an official service and enter a new password; otherwise their account would be blocked. Surprisingly, the link actually leads to the developer’s website — for example, to the Windows Live website.

After authorization the victim receives a request for a range of permissions from an unknown application. Among other this range can include automatic login, access to profile information, contact list and the list of e-mail addresses. By assigning these rights we open access to our personal information to cyber criminals.

Then, unknown individuals secretly gather the information, presumably for fraudulent purposes. For example, they can use it to distribute spam or links leading to phishing or malicious sites.

How it works?

There is a useful but not perfectly secure protocol for authorization called OAuth, which allows users to open the limited access to their protected resources (contact lists, agenda and other personal information) without sharing their credentials. It is commonly used by applications for social networks if they need, e.g. access to users’ contact lists.

As apps for social networks also use OAuth, your Facebook account is not in safety as well. A malicious app can use access to user’s account to send spam and malicious files, as well as phishing links.

7 simple steps to avoiding Facebook #phishing attempts – https://t.co/Qj68bST6HQ pic.twitter.com/V6rinEa2jI

— Kaspersky Lab (@kaspersky) April 24, 2015

It has been a year since the leaky nature of OAuth was revealed. In the beginning of 2014 a student from Singapore had described possible techniques for stealing user data after authentication. However, this is the first time we see a phishing campaign used to put these techniques into practice.

What you can do to stay protected:

do not follow links received by e-mail or in private messages on social networks;
do not allow applications that you do not trust to access your data;
before you agree, carefully read the descriptions of the account access rights requested by the application;
read user reviews and feedbacks on the application on the Internet;
you can also view and cancel the rights of currently installed applications in account/profile settings of any social networking site or web service. We strongly recommend you to make this list as short as possible.

How to Protect your kids from Cyberbullying

We have worked together with child psychologists from across the globe to put together recommendations about how to support a victim of online bullying.

Privacy & Kids

TARGETED SECURITY SOLUTIONS

Multi-stage phishing that starts with real links

Is it the boss – or is it a fraudster? Scams disguised as urgent orders from top brass

Pig butchering: large-scale cryptocurrency fraud

How to Protect your kids from Cyberbullying

Tips

Advertisers sharing data about you with… intelligence agencies

Watch the (verified) birdie, or new ways to recognize fakes

Switching to Kaspersky: a step-by-step migration guide

Is it the boss – or is it a fraudster? Scams disguised as urgent orders from top brass

Sign up to receive our headlines in your inbox

Home Products

Small Business Products

Medium Business Products

Enterprise Solutions

Securelist

Eugene Personal Blog

Encyclopedia