Multi-stage phishing that starts with real links

Kaspersky Lab experts detected a shifty scheme that allows fraudsters steal personal data without your login and password.

Recently Kaspersky Lab experts have found a shifty method that allows fraudsters steal personal information without access to user’s login and password. The criminals don’t try to steal the victim’s credential — they act much smarter instead.

Victims receive email letters with request to follow the link to an official service and enter a new password; otherwise their account would be blocked. Surprisingly, the link actually leads to the developer’s website — for example, to the Windows Live website.


After authorization the victim receives a request for a range of permissions from an unknown application. Among other this range can include automatic login, access to profile information, contact list and the list of e-mail addresses. By assigning these rights we open access to our personal information to cyber criminals.

Then, unknown individuals secretly gather the information, presumably for fraudulent purposes. For example, they can use it to distribute spam or links leading to phishing or malicious sites.

How it works?

There is a useful but not perfectly secure protocol for authorization called OAuth, which allows users to open the limited access to their protected resources (contact lists, agenda and other personal information) without sharing their credentials. It is commonly used by applications for social networks if they need, e.g. access to users’ contact lists.

As apps for social networks also use OAuth, your Facebook account is not in safety as well. A malicious app can use access to user’s account to send spam and malicious files, as well as phishing links.

It has been a year since the leaky nature of OAuth was revealed. In the beginning of 2014 a student from Singapore had described possible techniques for stealing user data after authentication. However, this is the first time we see a phishing campaign used to put these techniques into practice.

What you can do to stay protected:

  • do not follow links received by e-mail or in private messages on social networks;
  • do not allow applications that you do not trust to access your data;
  • before you agree, carefully read the descriptions of the account access rights requested by the application;
  • read user reviews and feedbacks on the application on the Internet;
  • you can also view and cancel the rights of currently installed applications in account/profile settings of any social networking site or web service. We strongly recommend you to make this list as short as possible.