Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Privacy Security Government Media

Egypt Government Used Gmail Third-Party Apps To Phish Activists (zdnet.com) 16

An anonymous reader quotes a report from ZDNet: Members of Amnesty International say that Egyptian authorities are behind a recent wave of spear-phishing attacks that have targeted prominent local human rights defenders, media, and civil society organizations' staff. The attacks used a relatively new spear-phishing technique called "OAuth phishing," Amnesty experts said. OAuth phishing is when attackers aim to steal a user account's OAuth token instead of the account password. When a user grants a third-party app the right to access their account, the app receives an OAuth token instead of the user's password. These tokens work as authorization until the user revokes their access. Amnesty investigators said that in the recent spear-phishing campaign that targeted Egyptian activists, authorities created Gmail third-party apps through which they gained access to victim's accounts. Victims would receive an email that looked like a legitimate Gmail security alert. But when they clicked the link, they'd be redirected to a page where a third-party app would request access to their account. Once the victim granted the app access to their Gmail account, the user would be redirected to the account's legitimate security settings page where they'd be left to change their password. Even if the victim changes their password, at this point, the phishers would still have access to the account via the newly acquired OAuth token. The Amnesty International report says the spear-phishing campaign also targeted Yahoo, Outlook and Hotmail users.
This discussion has been archived. No new comments can be posted.

Egypt Government Used Gmail Third-Party Apps To Phish Activists

Comments Filter:
  • by rtb61 ( 674572 ) on Thursday March 07, 2019 @07:59PM (#58234826) Homepage

    Don't use Gmail it was designed to be mined, Google itself called Gmail and all email, Postcards, with ZERO, expectations of privacy or security. They mine everything they can get hold of, their focus and as it is their focus, security comes in no where, not even last, just a big ole zero, well, technically in 10 out of 10, it would be negative 10, as Gmail's primary function is not email but email data mining. Reality here, GMail, functioning as it is designed to function compared to snail mail, it is a travesty against humanity. Alphabet/Google should be ashamed but you get bet they are not beyond, bullshit public relations and marketing, designed to be mined. Help save people's lives, drop gmail and block gmail addresses, help to protect people from their own foolishness.

    • You could've saved yourself a lot of typing by stating that email, in general was never designed to be secure.

      Google mines, Yahoo sure as fuck mines, and I'm sure all the freebies mine. I'm also fairly certain outlook.com mines, even if you pay for your o365 sub.

      Use other means. There are other means, and always pay attention of what and where you click / tap / headbutt.

      I wonder how good modern crypto guys would be at cracking Enigma code that was made with a four-rotor machine, of whose settings you know

      • pcnsn gfpox zjvlj qupxr kblwd
        dtope zkvlg ngheo ahpwn ehrlt
        zgkoe qmelj bfpdh wyjvv bypru
        lbspa jyvxp ketgy pmpfk lxbyf
        jskqa cqlbb nbkey wirwv svjty
        mhgpg vgjat bzigo lguqj hhvfm
        tbudm bvjun orfrh zgfey vjpaj
        ydrkd oehym xprww

        Let's see some enterprising crypto crack that. I randomly swapped wheels, randomly wired the plugboard, randomly thumbed in the starting position.

Time is the most valuable thing a man can spend. -- Theophrastus

Working...