Consent phishing: How attackers abuse OAuth 2.0 permissions to dupe users

When cybercrime historians look back on the first half of the 21st century, they will undoubtedly point to phishing as the most successful, and therefore, the most prevalent technique used to circumvent security. One of the reasons for this success is the ability of the cybercriminals behind phishing to work out novel ways of using the technique. The latest line of phishing tactics is ‘consent phishing.’

What is consent phishing?

To understand consent phishing, you need to understand the mechanisms it relies on, namely:

The user’s urge to click The OAuth 2.0 protocol The urge to click

Cybercriminals put the human factor to great effect in social engineering exercises. We humans (the computer users) are trained to use the internet by clicking links; click the link to get to the next stage of whatever you were trying to do. One modern click to go to the next stage, which we are all too familiar with, is the ‘click to consent.’

Consent to login and share data boxes is part of the mainstay methodology used across a wide range of consumer and corporate apps from Google to Facebook to Office 365 and beyond. Behind the consent box lies the standard

Read More: