Egypt Government Used Gmail Third-Party Apps To Phish Activists

An anonymous reader quotes a report from ZDNet: Members of Amnesty International say that Egyptian authorities are behind a recent wave of spear-phishing attacks that have targeted prominent local human rights defenders, media, and civil society organizations' staff. The attacks used a relatively new spear-phishing technique called "OAuth phishing," Amnesty experts said. OAuth phishing is when attackers aim to steal a user account's OAuth token instead of the account password. When a user grants a third-party app the right to access their account, the app receives an OAuth token instead of the user's password. These tokens work as authorization until the user revokes their access. Amnesty investigators said that in the recent spear-phishing campaign that targeted Egyptian activists, authorities created Gmail third-party apps through which they gained access to victim's accounts. Victims would receive an email that looked like a legitimate Gmail security alert. But when they clicked the link, they'd be redirected to a page where a third-party app would request access to their account. Once the victim granted the app access to their Gmail account, the user would be redirected to the account's legitimate security settings page where they'd be left to change their password. Even if the victim changes their password, at this point, the phishers would still have access to the account via the newly acquired OAuth token. The Amnesty International report says the spear-phishing campaign also targeted Yahoo, Outlook and Hotmail users.

GMAIL == BAD

[rtb61]

Don't use Gmail it was designed to be mined, Google itself called Gmail and all email, Postcards, with ZERO, expectations of privacy or security. They mine everything they can get hold of, their focus and as it is their focus, security comes in no where, not even last, just a big ole zero, well, technically in 10 out of 10, it would be negative 10, as Gmail's primary function is not email but email data mining. Reality here, GMail, functioning as it is designed to function compared to snail mail, it is a travesty against humanity. Alphabet/Google should be ashamed but you get bet they are not beyond, bullshit public relations and marketing, designed to be mined. Help save people's lives, drop gmail and block gmail addresses, help to protect people from their own foolishness.

Re:GMAIL == BAD

[TigerPlish]

You could've saved yourself a lot of typing by stating that email, in general was never designed to be secure.

Google mines, Yahoo sure as fuck mines, and I'm sure all the freebies mine. I'm also fairly certain outlook.com mines, even if you pay for your o365 sub.

Use other means. There are other means, and always pay attention of what and where you click / tap / headbutt.

I wonder how good modern crypto guys would be at cracking Enigma code that was made with a four-rotor machine, of whose settings you know nothing of, and don't have the same bonehead mistakes made before.

Postcards that read YNXKA UXLWO WXOPM .... flooding the mails. I can see that.

Re:Hence

[Highdude702]

It is however a genius way to get access to the accounts. As people would see legitimate google URL's the whole time and maybe not think about the access they're clicking away. Same as with Facebook or their peers. Lets hope people aren't stupid enough to not read what their doing. Shit what am I saying, were talking about people after all.