Egypt Government Used Gmail Third-Party Apps To Phish Activists (zdnet.com) 16
An anonymous reader quotes a report from ZDNet: Members of Amnesty International say that Egyptian authorities are behind a recent wave of spear-phishing attacks that have targeted prominent local human rights defenders, media, and civil society organizations' staff. The attacks used a relatively new spear-phishing technique called "OAuth phishing," Amnesty experts said. OAuth phishing is when attackers aim to steal a user account's OAuth token instead of the account password. When a user grants a third-party app the right to access their account, the app receives an OAuth token instead of the user's password. These tokens work as authorization until the user revokes their access. Amnesty investigators said that in the recent spear-phishing campaign that targeted Egyptian activists, authorities created Gmail third-party apps through which they gained access to victim's accounts. Victims would receive an email that looked like a legitimate Gmail security alert. But when they clicked the link, they'd be redirected to a page where a third-party app would request access to their account. Once the victim granted the app access to their Gmail account, the user would be redirected to the account's legitimate security settings page where they'd be left to change their password. Even if the victim changes their password, at this point, the phishers would still have access to the account via the newly acquired OAuth token. The Amnesty International report says the spear-phishing campaign also targeted Yahoo, Outlook and Hotmail users.
Re: (Score:3)
It is however a genius way to get access to the accounts. As people would see legitimate google URL's the whole time and maybe not think about the access they're clicking away. Same as with Facebook or their peers. Lets hope people aren't stupid enough to not read what their doing. Shit what am I saying, were talking about people after all.
GMAIL == BAD (Score:3)
Don't use Gmail it was designed to be mined, Google itself called Gmail and all email, Postcards, with ZERO, expectations of privacy or security. They mine everything they can get hold of, their focus and as it is their focus, security comes in no where, not even last, just a big ole zero, well, technically in 10 out of 10, it would be negative 10, as Gmail's primary function is not email but email data mining. Reality here, GMail, functioning as it is designed to function compared to snail mail, it is a travesty against humanity. Alphabet/Google should be ashamed but you get bet they are not beyond, bullshit public relations and marketing, designed to be mined. Help save people's lives, drop gmail and block gmail addresses, help to protect people from their own foolishness.
Re: (Score:3)
You could've saved yourself a lot of typing by stating that email, in general was never designed to be secure.
Google mines, Yahoo sure as fuck mines, and I'm sure all the freebies mine. I'm also fairly certain outlook.com mines, even if you pay for your o365 sub.
Use other means. There are other means, and always pay attention of what and where you click / tap / headbutt.
I wonder how good modern crypto guys would be at cracking Enigma code that was made with a four-rotor machine, of whose settings you know
Re: (Score:2)
Let's see some enterprising crypto crack that. I randomly swapped wheels, randomly wired the plugboard, randomly thumbed in the starting position.
Re: (Score:2)
What is the problem, exactly?
Either you trollin', or you're not getting the obvious.
Evil Government (aren't they all? Every single one?) handcrafts apps specifically for the purpose of spear-phishing people it disagrees with.
What's the problem? The problem is user stupidity / ignorance / apathy. Stupidity can't be fixed, Ignorance's antidote is study and knowledge, and there's no fix for apathy (it's the opposite of love. The opposite of love isn't hate, it's apathy.)
So.. there it is. People should not blindly trust tech to keep