back to article Money-grubbing crooks abuse OAuth – and baffling absence of MFA – to do financial crimes

Multiple miscreants are misusing OAuth to automate financially motivated cyber crimes – such as business email compromise (BEC), phishing, large-scale spamming campaigns – and deploying virtual machines to illicitly mine for cryptocurrencies, according to Microsoft. OAuth, short for Open Authorization, is an open standard for …

  1. Victor Ludorum

    Can someone cleverer than me...

    Please explain how MFA would stop this. They're capturing session cookies/tokens through a proxy/relay. Even if MFA is enabled the victim could unwittingly use MFA to log in to the account and the MITM relay/proxy would still capture the cookie/token?

    1. John.B

      Re: Can someone cleverer than me...

      Definitely not claiming to be cleverer.

      My simple understanding is that MFA should be on for your Azure admin accounts, so the bad guys can't login, setup OAuth and don't let everyone approve apps in Azure.

      If we have more to it than that can someone shout out.

    2. MatthewSt Silver badge

      Re: Can someone cleverer than me...

      You use other signals to determine if the sign in is legitimate, combined with reauthentication to perform privileged operations.

      For example you can require that users only sign in on devices that have been registered with IT. This installs a certificate which is used as another factor.

      Sadly some of these features are only available on the more expensive tiers.

  2. Decimal5446

    Session token binding needs to be the norm. The session token needs to have baked in info about the device so replay cannot happen. Fingers crossed this becomes the norm as time goes on.

  3. Michael Wojcik Silver badge

    racking up between $10,000 and $1.5 million in Azure compute fees

    Between 104 and 106? Really narrowed the range down there, Microsoft. I think that qualifies as a wild-ass guess.

  4. pc-fluesterer.info
    FAIL

    OAuth is broken by design

    Yes, a single sign-in is convenient. But it is inherently unsafe, too. I for one would never use it.

    I use a password manager which automatically inputs my credentials into the appropriate website or application, and I use 2FA (TOTP) where ever possible.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like