Egypt Government Used Gmail Third-Party Apps To Phish Activists (zdnet.com)

← Back to Stories (view on slashdot.org)

Egypt Government Used Gmail Third-Party Apps To Phish Activists (zdnet.com)

Posted by BeauHD on Thursday March 7, 2019 @12:03PM from the sneaky-bastards dept.

An anonymous reader quotes a report from ZDNet: Members of Amnesty International say that Egyptian authorities are behind a recent wave of spear-phishing attacks that have targeted prominent local human rights defenders, media, and civil society organizations' staff. The attacks used a relatively new spear-phishing technique called "OAuth phishing," Amnesty experts said. OAuth phishing is when attackers aim to steal a user account's OAuth token instead of the account password. When a user grants a third-party app the right to access their account, the app receives an OAuth token instead of the user's password. These tokens work as authorization until the user revokes their access. Amnesty investigators said that in the recent spear-phishing campaign that targeted Egyptian activists, authorities created Gmail third-party apps through which they gained access to victim's accounts. Victims would receive an email that looked like a legitimate Gmail security alert. But when they clicked the link, they'd be redirected to a page where a third-party app would request access to their account. Once the victim granted the app access to their Gmail account, the user would be redirected to the account's legitimate security settings page where they'd be left to change their password. Even if the victim changes their password, at this point, the phishers would still have access to the account via the newly acquired OAuth token. The Amnesty International report says the spear-phishing campaign also targeted Yahoo, Outlook and Hotmail users.

16 comments

Min score:

Reason:

Sort:

Hence by Anonymous Coward · 2019-03-07 12:15 · Score: 0

Intelligent activists or anyone really have never used gmail or oauth
1. Re:Hence by Anonymous Coward · 2019-03-07 12:26 · Score: 0
  
  Bingo checkmate bullseye. You nailed it.
2. Re: Hence by Anonymous Coward · 2019-03-07 12:59 · Score: 0
  
  Bin Laden did it. :rolleyes:
3. Re:Hence by Highdude702 · 2019-03-07 13:22 · Score: 2
  
  It is however a genius way to get access to the accounts. As people would see legitimate google URL's the whole time and maybe not think about the access they're clicking away. Same as with Facebook or their peers. Lets hope people aren't stupid enough to not read what their doing. Shit what am I saying, were talking about people after all.
Re: Munbo-jumbo financial BS for maths majors by Anonymous Coward · 2019-03-07 12:52 · Score: 0

Good thing that everybody on slashdot is better than average! I know I am, and everyone claims to be!
GMAIL == BAD by rtb61 · 2019-03-07 12:59 · Score: 2

Don't use Gmail it was designed to be mined, Google itself called Gmail and all email, Postcards, with ZERO, expectations of privacy or security. They mine everything they can get hold of, their focus and as it is their focus, security comes in no where, not even last, just a big ole zero, well, technically in 10 out of 10, it would be negative 10, as Gmail's primary function is not email but email data mining. Reality here, GMail, functioning as it is designed to function compared to snail mail, it is a travesty against humanity. Alphabet/Google should be ashamed but you get bet they are not beyond, bullshit public relations and marketing, designed to be mined. Help save people's lives, drop gmail and block gmail addresses, help to protect people from their own foolishness.

--
Chaos - everything, everywhere, everywhen
1. Re:GMAIL == BAD by TigerPlish · 2019-03-07 13:16 · Score: 2
  
  You could've saved yourself a lot of typing by stating that email, in general was never designed to be secure.
  Google mines, Yahoo sure as fuck mines, and I'm sure all the freebies mine. I'm also fairly certain outlook.com mines, even if you pay for your o365 sub.
  Use other means. There are other means, and always pay attention of what and where you click / tap / headbutt.
  I wonder how good modern crypto guys would be at cracking Enigma code that was made with a four-rotor machine, of whose settings you know nothing of, and don't have the same bonehead mistakes made before.
  Postcards that read YNXKA UXLWO WXOPM .... flooding the mails. I can see that.
  
  --
  The "Civilized World" jumped the shark ca. 1973.
2. Re:GMAIL == BAD by TigerPlish · 2019-03-07 13:47 · Score: 1
  
  pcnsn gfpox zjvlj qupxr kblwd dtope zkvlg ngheo ahpwn ehrlt zgkoe qmelj bfpdh wyjvv bypru lbspa jyvxp ketgy pmpfk lxbyf jskqa cqlbb nbkey wirwv svjty mhgpg vgjat bzigo lguqj hhvfm tbudm bvjun orfrh zgfey vjpaj ydrkd oehym xprww
  
  Let's see some enterprising crypto crack that. I randomly swapped wheels, randomly wired the plugboard, randomly thumbed in the starting position.
  
  --
  The "Civilized World" jumped the shark ca. 1973.
Re:Munbo-jumbo financial BS for maths majors by Anonymous Coward · 2019-03-07 13:07 · Score: 0

.CNBC is reporting that "US households see biggest decline in net worth since the financial crisis"
https://www.cnbc.com/2019/03/0...
The fall amounted to a drop of 3.4 percent.
And the Beeb yesterday reported that the US trade deficit is highest now than in the past 10 years.
Wonder why CNN, CNBC, Fox, et al did not report this, at least not in the front page. Probably buried way back, behind the obits and the "buy turnips" ads.
https://www.bbc.com/news/busin...
So ... by Anonymous Coward · 2019-03-07 13:17 · Score: 0

Let me get this straight. A third-party app was created that requested access to a gmail account. E-Mail messages where sent out requesting that people grant these third-party apps access to their gmail account. The user granted the third-party access to their gmail account. What is the problem, exactly?
1. Re:So ... by TigerPlish · 2019-03-07 13:26 · Score: 1
  
  What is the problem, exactly?
  Either you trollin', or you're not getting the obvious.
  Evil Government (aren't they all? Every single one?) handcrafts apps specifically for the purpose of spear-phishing people it disagrees with.
  What's the problem? The problem is user stupidity / ignorance / apathy. Stupidity can't be fixed, Ignorance's antidote is study and knowledge, and there's no fix for apathy (it's the opposite of love. The opposite of love isn't hate, it's apathy.)
  So.. there it is. People should not blindly trust tech to keep them safe.
  
  --
  The "Civilized World" jumped the shark ca. 1973.
But they *self-identify* as secure by Anonymous Coward · 2019-03-07 14:54 · Score: 0

And we all know security is a social construct, created by the Male Patriarchy to disenfranchise the workers. Just remember out anthem!
"This is the final struggle.
Let us group together and tomorrow.
The Internationale
Will be the human race."
My Feet! by Anonymous Coward · 2019-03-07 17:50 · Score: 0

civil society organizations' staff
So they accidentally targeted their own government?
OAuth is for Security Wonks Not Ordinary Users by Anonymous Coward · 2019-03-09 07:53 · Score: 0

When you give a tool like OAuth to ordinary users they will just "click yes to continue" whenever some app asks them to. At least when they have to enter their password manually they have some idea in the back of their mind that maybe they shouldn't be doing that. A tool like OAuth that accepts tokens granted by the user to third parties in lieu of username and password is practically designed to snooker users.