The fake alerts trick users into authorizing a malicious OAuth application capable of a full account takeover.