Security News > 2023 > December > Money-grubbing crooks abuse OAuth – and baffling absence of MFA – to do financial crimes
OAuth is an especially appealing target for criminals in cases where compromised accounts don't have strong authentication in place, and user permissions allow them to create or modify OAuth applications.
Microsoft, in a threat intel report, details one cyber crime crew it tracks as Storm-1283 that used a compromised account to create an OAuth application and deploy VMs for crypto mining, while also racking up between $10,000 and $1.5 million in Azure compute fees.
The crew also took advantage of other OAuth applications that the compromised user could access, and added new credentials to those apps to expand its mining capabilities.
A different cybercrime gang, Storm-1286, abused OAuth applications for a massive spamming campaign after compromising email accounts with password spraying.
The criminals used compromised accounts to create more new OAuth applications using Azure PowerShell or a Swagger Codegen-based client.
In yet another case of using compromised accounts to create OAuth applications, Redmond revealed that an unnamed criminal launched a phishing campaign, sending "a significant number of emails" to multiple organizations.