(281) 816-6430    Get SUPPORT

SouthBridge Consulting Blog

With Phishing Attacks Beating 2FA, You Need to Be Able to Spot Them

With Phishing Attacks Beating 2FA, You Need to Be Able to Spot Them

Unfortunately, one of the most effective defenses against phishing attacks has suddenly become a lot less dependable. This means that you and your users must be ready to catch these attempts instead. Here, we’ll review a few new attacks that can be included in a phishing attempt, and how you and your users can better identify them for yourselves.

How Has Two-Factor Authentication (2FA) Been Defeated?

There are a few different methods that have been leveraged to bypass the security benefits that 2FA is supposed to provide.

On a very basic level, some phishing attacks have been successful in convincing the user to hand over their credentials and the 2FA code that is generated when a login attempt is made. According to Amnesty International, one group of hackers has been sending out phishing emails that link the recipient to a convincing, yet fake, page to reset their Google password. In some cases, fake emails like this can look very convincing, which makes this scheme that much more effective.

As Amnesty International investigated these attacks, they discovered that the attacks were also leveraging automation to automatically launch Chrome and submit whatever the user entered on their end. This means that the 30-second time limit on 2FA credentials was of no concern.

In November 2018, an application on a third-party app store disguised as an Android battery utility tool was discovered to actually be a means of stealing funds from a user’s PayPal account. To do so, this application would alter the device’s Accessibility settings to enable the accessibility overlay feature. Once this was in place, the user’s clicks could be mimicked, allowing an attacker to send funds to their own PayPal account.

Another means of attack was actually shared publicly by Piotr Duszyński, a Polish security researcher. His method, named Modlishka, creates a reverse proxy that intercepts and records credentials as the user attempts to input them into the impersonated website. Modlishka then sends the credentials to the real website, concealing its theft of the user’s credentials. Worse, if the person leveraging Modlishka is present, they can steal 2FA credentials and quickly leverage them for themselves.

How to Protect Yourself Against 2FA Phishing

First and foremost, while it isn’t an impenetrable method, you don’t want to pass up on 2FA completely, although some methods of 2FA are becoming much more preferable than others. At the moment, the safest form of 2FA is to utilize hardware tokens with U2F protocol.

Even more importantly, you need your entire team to be able to identify the signs of a phishing attempt. While attacks like these can make it more challenging, a little bit of diligence can assist greatly in preventing them.

When all is said and done, 2FA fishing is just like regular phishing… there’s just the extra step of replicating the need for a second authentication factor. Therefore, a few general best practices for avoiding any misleading and malicious website should do.

First of  all, you need to double-check and make sure you’re actually on the website you wanted to visit. For instance, if you’re trying to access your Google account, the login url won’t be www - logintogoogle - dot com. Website spoofing is a very real way that (as evidenced above) attackers will try to fool users into handing over credentials.

There are many other signs that a website, or an email, may be an attempt to phish you. Google has actually put together a very educational online activity on one of the many websites owned by Alphabet, Inc. Put your phishing identification skills to the test by visiting https://phishingquiz.withgoogle.com/, and encourage the rest of your staff to do the same!

For more best practices, security alerts, and tips, make sure you subscribe to our blog, and if you have any other questions, feel free to reach out to our team by calling (281) 816-6430.

Tip of the Week: Match Word to Your Style
Analytics Can Fool You
 

Comments

No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Guest
Sunday, May 19 2019

Captcha Image

Mobile? Grab this Article!

QR-Code dieser Seite

Tag Cloud

Tip of the Week Security Technology Best Practices Productivity Tech Term Internet Data Business Computing Privacy Business Hosted Solutions Email Cloud Data Backup Malware Network Security IT Support Cloud Computing Hackers Efficiency IT Services Business Management Google Hardware Android Mobile Devices Server Encryption Computer Small Business Paperless Office Software Windows 10 Innovation Upgrade Outsourced IT Communication Collaboration Workplace Tips VoIP Microsoft Holiday Passwords Data Recovery Ransomware Browser Managed Service Office 365 Government User Tips Managed IT Services Artificial Intelligence Saving Money Quick Tips Smartphones BYOD Chrome Healthcare Infrastructure Wi-Fi Communications Two-factor Authentication Document Management Phishing Applications Vulnerability Business Technology Blockchain Information Bandwidth Website Scam Employer-Employee Relationship HIPAA VPN Social Media Mobile Device Automation Antivirus Mobile Security Bring Your Own Device Network Compliance Management Access Control Managed IT services Machine Learning Business Continuity IT Management Cybersecurity Internet of Things Managed Service Provider Maintenance Microsoft Office Data Management Router Cooperation Tablet Storage Gmail Smartphone Backup Remote Monitoring Authorization Settings Computing Computing Infrastructure Identity eWaste Features Security Cameras Printer Money Smart Tech Legislation Fraud Hard Drive Consulting Downtime Options Virtualization Break Fix Virtual Reality Cookies Development Voice over Internet Protocol Wireless Server Management Assessment Employee-Employer Relationship Test File Sharing Spam Smart Technology Social Networking Unified Communications Help Desk Vendor Management Connectivity Employees Transportation Comparison Alerts Patch Management Private Cloud Mobile Device Management Microsoft Excel Remote Computing Cache Managed Services Provider Tech Terms Nanotechnology Cables Instant Messaging Net Neutrality Risk Management Mirgation Internet Exlporer Remote Workers OneDrive Firewall Motherboard Office IoT Remote Monitoring and Management Specifications Electronic Health Records ROI Augmented Reality Hotspot Point of Sale Theft Wires Finance Windows 7 RMM Manufacturing Tech Support BDR G Suite Bookmarks Wasting Time Data Security Star Wars Zero-Day Threat Black Friday Licensing Regulations Company Culture Files Notes Apps SharePoint The Internet of Things Mouse Language Chatbots Network Management E-Commerce Financial Dark Web App Facebook Analytics Google Calendar Permissions Monitoring Electronic Medical Records Hard Disk Drives Gadgets Distributed Denial of Service Chromebook Favorites Windows Downloads Cost Management OneNote Human Error Teamwork Customer Relationship Management Cyber Monday Data loss Managing Stress Read Only PowerPoint Networking Identity Theft Recycling Save Money Social Wearable Technology Screen Reader Authentication Operating System Solid State Drives Users Managed IT Service Modem Vulnerabilities Politics Database Multi-Factor Security IT Technicians How To Permission Shared resources Customer Service Staff Disaster Recovery Enterprise Content Management Professional Services Mobile Office Domains Hard Drives Regulation Windows 10 Search Public Speaking Wireless Internet Presentation Education Lithium-ion battery Cortana Wireless Technology 5G Students IBM Safety Productivity Marketing Hacker Criminal Justice Alert Budget Hiring/Firing Competition Big Data Fun IP Address Twitter Miscellaneous Printers