A new malicious campaign is exploiting the Windows Phone Link feature to distribute the CloudZ RAT remote access trojan. This malware is designed to steal login credentials and OTP codes, compromising two-factor authentication. The attack begins when the victim unknowingly authorizes the connection of a fraudulent mobile device to their PC, allowing the attacker to intercept text messages and notifications in real time.
How the attack operates: Phone Link as an entry point 🚪
The attacker tricks the victim into scanning a fake QR code that mimics a legitimate Phone Link request. Once the fraudulent device is linked, the malware gains access to all SMS notifications, including OTP codes sent by banks or online services. CloudZ RAT also extracts credentials stored in the browser and active sessions, allowing the attacker to bypass two-step verification without the user realizing the theft until it is too late.
The brilliant idea of giving a complete stranger access to your phone 🤦
Because nothing says security like cheerfully accepting a QR code sent via a random text message while browsing dubious websites. If you also use the same phone number for everything, from your bank to your Netflix account, congratulations: you have gifted the attacker the keychain to your digital life. And then we complain when our accounts are drained while we thought two-factor authentication was bulletproof.