Egyptian authorities allegely behind ‘OAuth phishing’ attacks targeting human rights defenders

• Egyptian authorities are behind the spear phishing attacks that target Egyptian human rights defenders, media, and civil society organization staffs.
• The authorities are using a new spear-phishing technique called ‘OAuth phishing’.

Researchers from Amnesty International noted that Egyptian authorities are behind the recent spear phishing attacks that target Egyptian human rights defenders, media, and civil society organization staffs.

What is OAuth phishing?

The authorities are using a new spear-phishing technique called ‘OAuth phishing’. In ‘OAuth phishing attack, attackers target user account’s OAuth token instead of passwords. For which, the authorities have created Gmail third-party apps.

When a user grants a third-party app the right to access the account, the app receives an OAuth token instead of passwords. Egyptian authorities are using third-party apps to compromise the victim’s accounts.

How does OAuth phishing work?

• Egyptian authorities send phishing emails disguised a security warning from Google to the human right defenders and other civil society staffs.
• These emails urge recipients to update email security settings by clicking on the ‘Update my security now’ button.
• Upon clicking on the button, users are redirected to a phishing third-party app named ‘Secure Mail’ which initiates the OAuth authorization process.
• Users are then asked to grant the ‘Secure Mail’ third-party app access to Gmail account.
• Once users grant access to the third-party app by clicking on the ‘Allow’ button, attackers will be able to gain access to the victims’ account.
• Users are then directed to the legitimate Google account settings page.

Amnesty International experts revealed that these spear-phishing attacks weren't limited to Gmail alone, but Yahoo, Outlook, and Hotmail users were also targeted.

“OAuth Phishing can be tricky to identify. Often, security education for individuals at risk does not include mentions of this particular technique. People are usually trained to respond to phishing by looking for suspicious domains in the browser's address bar and by enabling two-factor verification. While those are very useful and important safety practices to adopt, they would not help with OAuth phishing because victims are in fact authenticating directly through the legitimate site,” Amnesty International said.