Multi-stage phishing that starts with real links

Kaspersky Lab experts detected a sly scheme that allows fraudsters to steal personal data without your login and password.

Multi-stage phishing that starts with real links

Recently Kaspersky Lab experts have found a sly method that allows fraudsters to steal personal information without access to the user’s login and password. The cyber criminals do not try stealing the victim’s credential — they act much smarter instead.

Victims receive an email with a request to follow the link to an official service and enter a new password; otherwise their account would be blocked. Surprisingly, the link actually leads to the developer’s website — for example, to the Windows Live website.

Multi-stage phishing that starts with real links

After authorization, the victim receives a request for a range of permissions from an unknown application. Among others, this range can include automatic login, access to profile information, contact list and list of e-mail addresses. By assigning these rights we open access to our personal information to cyber criminals.

Then unknown individuals secretly gather information, assumingly for fraudulent purposes. For example, they can use it to distribute spam or links leading to phishing or malicious sites.

How it works?

There is a useful, but not perfectly secure, protocol for authorization called OAuth, which allows users to open the limited access to their protected resources (contact lists, agenda and other personal information) without sharing their credentials. It is commonly used by applications for social networks if they need, e.g. access to users’ contact lists.

As apps for social networks also use OAuth, your Facebook account is not safe as well. A malicious app can use access to user’s account to send spam and malicious files, as well as phishing links.

It has been a year since the leaky nature of OAuth was revealed. In the beginning of 2014 a student from Singapore had described possible techniques for stealing user data after authentication. However, this is the first time we’ve seen a phishing campaign used to put these techniques into practice.

What you can do to stay protected:

  • do not follow links received by e-mail or in private messages on social networks;
  • do not allow applications that you do not trust to access your data;
  • before you agree, carefully read the descriptions of the account access rights requested by the application;
  • read user reviews and feedbacks on the application on the Internet;
  • you can also view and cancel the rights of currently installed applications in account/profile settings of any social networking site or web service. And we strongly recommend you to make this list as short as possible.