April 7, 2015
Researchers from Kaspersky Lab have unveiled a new Phishing campaign aimed at users in Latin America that uses the offer of a subscription for the video streaming service known as Netflix as a hook. The email offers as a hook 3 months of free subscription and all you have to do is complete the registration by clicking on a link provided within the apocryphal email. According to Kaspersky Lab analysts, the real goal behind this campaign is to gain access to information from the victim’s Outlook or Hotmail account.
“This type of attack is very peculiar since it does not involve stealing usernames or passwords and it is not a cryptographic attack either. The threat in this case is known as an Open Redirect type attack ”, explains Roberto Martínez, security analyst at Kaspersky Lab.
The basic idea is that an attacker uses an application that implements an OAuth API to supposedly give the victim access to a program or service through a token generated by an account that the user has previously configured. This same token will be used to access the victim’s information, such as their profile details, contact information and email, even when the user is not signed in to their account.
Applications that support OAuth do not need to directly know the username or password of the person who wants to connect an application or access a service, but rather follow a process that basically consists of three steps:
- The victim clicks on the link provided in the email to obtain the 3 months of free subscription, when loading the link web page, the user is redirected to the site of the account provider that he wants to use to authenticate, in this case “Outlook” or “Hotmail”. The problem is that the user is directed to the authentic site of the provider and not to a fake site, as is often the case in phishing attacks.
- The user then enters his credentials to sign as indicated in the email and then a screen will appear with a summary of the accesses to which the alleged application can access in order for the user to give his authorization. 20150402_183409000_iOS
- After the approval is given by the user, the information with the granted privileges is sent, together with the token of the user’s session to the URI of the malicious site that will allow access to the victim’s information from the application malicious at any time.
The following access permissions are those granted:
- wl.signin – Single sign-on. Users who are already signed into their Outlook or Hotmail account are also signed into the supposed application.
- wl.basic – Read access to basic information of the user’s profile.
- wl.emails – Read access to personal, preferred and business email addresses.
- wl.contacts_emails – Read access to contacts’ email addresses.
And that information is sent to the malicious site: redirect_uri = http //
One of the key aspects for this hoax to be successful is the fact that some users may be familiar with this process and consider it normal if they have used third-party account authentication services before.
The impact may be greater if the requested permissions include access to cloud storage services because if this is the case, say goodbye to your privacy as it could also give you access to your photos and personal documents.
“As in any case of phishing, in the slightest doubt it is very important to think twice before clicking on a link that comes from an email or social network and whose content is’ too good to be true;” warns Martínez. “In this as in many cases, one of the best preventive defenses is common sense.”
To avoid becoming a victim, it is important to follow the following tips:
- Be wary of websites or applications that offer authentication through third-party accounts using the OAuth protocol unless you are absolutely sure it is from a trusted source.
- Periodically review the accesses of third-party applications to your accounts and delete those that are no longer used.
- Install tools that protect your internet browsing.
[+] Videos de nuestro canal de YouTube