OAuth Phishing Campaign Mimics Spotify Using "Profit" Platform

Cyber News - Erez Dasa reports on a new phishing campaign exploiting the “Profit” platform to impersonate Spotify. The emails originate from a “Profit” domain but direct users to a lookalike Spotify site. The goal is to trick users into granting third-party applications access to their official Spotify accounts via OAuth consent phishing. This attack vector leverages legitimate authorization flows to gain unauthorized access.

This technique, OAuth consent phishing, is particularly insidious because it bypasses traditional credential checks. Users are not entering their passwords directly on a fake site; they are authorizing an application. Defenders must be vigilant about unexpected OAuth consent requests, even if they appear to originate from trusted services. Educating users on scrutinizing OAuth scopes and the legitimacy of the requesting application is paramount. The indicator provided, hxxps://premium-sp[.]co, highlights how attackers craft convincing, yet fraudulent, URLs.

Organizations should review their OAuth application access policies and educate users on the risks of granting broad permissions. Regularly auditing connected applications for user accounts can help identify and revoke unauthorized access. For security teams, monitoring for unusual OAuth consent requests originating from unexpected sources or domains is a critical detection point.