301-571-5040    Get SUPPORT

Washington Works Blog

With Phishing Attacks Beating 2FA, You Need to Be Able to Spot Them

With Phishing Attacks Beating 2FA, You Need to Be Able to Spot Them

Unfortunately, one of the most effective defenses against phishing attacks has suddenly become a lot less dependable. This means that you and your users must be ready to catch these attempts instead. Here, we’ll review a few new attacks that can be included in a phishing attempt, and how you and your users can better identify them for yourselves.

How Has Two-Factor Authentication (2FA) Been Defeated?

There are a few different methods that have been leveraged to bypass the security benefits that 2FA is supposed to provide.

On a very basic level, some phishing attacks have been successful in convincing the user to hand over their credentials and the 2FA code that is generated when a login attempt is made. According to Amnesty International, one group of hackers has been sending out phishing emails that link the recipient to a convincing, yet fake, page to reset their Google password. In some cases, fake emails like this can look very convincing, which makes this scheme that much more effective.

As Amnesty International investigated these attacks, they discovered that the attacks were also leveraging automation to automatically launch Chrome and submit whatever the user entered on their end. This means that the 30-second time limit on 2FA credentials was of no concern.

In November 2018, an application on a third-party app store disguised as an Android battery utility tool was discovered to actually be a means of stealing funds from a user’s PayPal account. To do so, this application would alter the device’s Accessibility settings to enable the accessibility overlay feature. Once this was in place, the user’s clicks could be mimicked, allowing an attacker to send funds to their own PayPal account.

Another means of attack was actually shared publicly by Piotr Duszyński, a Polish security researcher. His method, named Modlishka, creates a reverse proxy that intercepts and records credentials as the user attempts to input them into the impersonated website. Modlishka then sends the credentials to the real website, concealing its theft of the user’s credentials. Worse, if the person leveraging Modlishka is present, they can steal 2FA credentials and quickly leverage them for themselves.

How to Protect Yourself Against 2FA Phishing

First and foremost, while it isn’t an impenetrable method, you don’t want to pass up on 2FA completely, although some methods of 2FA are becoming much more preferable than others. At the moment, the safest form of 2FA is to utilize hardware tokens with U2F protocol.

Even more importantly, you need your entire team to be able to identify the signs of a phishing attempt. While attacks like these can make it more challenging, a little bit of diligence can assist greatly in preventing them.

When all is said and done, 2FA fishing is just like regular phishing… there’s just the extra step of replicating the need for a second authentication factor. Therefore, a few general best practices for avoiding any misleading and malicious website should do.

First of  all, you need to double-check and make sure you’re actually on the website you wanted to visit. For instance, if you’re trying to access your Google account, the login url won’t be www - logintogoogle - dot com. Website spoofing is a very real way that (as evidenced above) attackers will try to fool users into handing over credentials.

There are many other signs that a website, or an email, may be an attempt to phish you. Google has actually put together a very educational online activity on one of the many websites owned by Alphabet, Inc. Put your phishing identification skills to the test by visiting https://phishingquiz.withgoogle.com/, and encourage the rest of your staff to do the same!

For more best practices, security alerts, and tips, make sure you subscribe to our blog, and if you have any other questions, feel free to reach out to our team by calling 301-571-5040.

Tip of the Week: Match Word to Your Style
Analytics Can Fool You


No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Thursday, April 18 2019
If you'd like to register, please fill in the username, password and name fields.

Captcha Image

Mobile? Grab this Article!

QR-Code dieser Seite

Tag Cloud

Tip of the Week Security Technology Best Practices Business Computing Productivity Cloud Privacy Malware Hackers Network Security Business Email Software Tech Term Internet Hosted Solutions Data IT Support Data Backup Data Recovery Computer User Tips Google Mobile Devices Efficiency Innovation Ransomware IT Services Backup Managed IT Services Microsoft Cloud Computing Hardware Business Management Productivity Outsourced IT Workplace Tips Small Business Collaboration Paperless Office Managed IT Services Android Managed Service Provider Smartphone Encryption Business Continuity Office 365 Phishing Upgrade Social Media Remote Monitoring Windows 10 Server Communication Browser Smartphones Communications Windows 10 Data Management Save Money Disaster Recovery Holiday Government Employer-Employee Relationship VoIP Passwords Cybersecurity Bandwidth Vulnerability BDR Healthcare IT Management Internet of Things Quick Tips Compliance Business Technology Unified Threat Management Saving Money Document Management Artificial Intelligence BYOD Chrome Work/Life Balance Facebook Windows Wi-Fi Infrastructure Tip of the week Automation Managed Service Scam Risk Management Antivirus Information App Apps Microsoft Office SaaS Customer Relationship Management Politics Big Data VPN Maintenance Analytics Blockchain Hosted Solution Word Office File Sharing Password Money Two-factor Authentication Chromebook Network Mobile Device Virtual Reality Vendor Management Applications How To Hacker Health G Suite Data loss Smart Technology Networking Tablet Professional Services Samsung Firewall Private Cloud Computer Care How To Physical Security Twitter Downtime Electronic Medical Records Taxes Router Management Data Security Website Computing Server Management Training Robot Gmail Proactive Websites Settings Virtual Private Network Regulations IoT Bring Your Own Device Social Meetings Wireless Storage Recovery Remote Computing Mobile Device Management Remote Monitoring and Management Botnet Employees Remote Workers Automobile Company Culture Access Control HIPAA Machine Learning Identity Theft Patch Management Tech Support Mobile Security Point of Sale Alert Telephone Systems Cortana Black Market Supercomputer Time Management Cooperation Backup and Disaster Recovery Remote Worker The Internet of Things Electronic Health Records GPS Gadgets Budget Hotspot Assessment High-Speed Internet Finance Crowdsourcing Monitoring Emoji Smart Tech Enterprise Content Management Bookmarks Motion Sickness Uninterrupted Power Supply Servers Downloads IT Technicians Asset Tracking Tech Terms Wasting Time IT Budget Network Management Unified Threat Management Staff MSP Human Error ROI YouTube Distributed Denial of Service Cyberattacks Office Tips Tracking Users Language Internet Exlporer Development Authentication Financial Personal Information Web Server Managed IT Comparison USB Consulting Customer Service Connectivity Unified Communications Favorites Multi-Factor Security Mirgation OneNote Theft Database Update Error Files Digital Payment IT Support Touchscreen User Error Permission Notes Legal IT Consultant Managed IT Service Modem Enterprise Resource Planning Google Drive Computing Infrastructure Value Cables Authorization Procurement Cameras Corporate Profile Outlook Specifications Dongle Managed Services Provider Spam Lenovo Permissions Project Management Notifications Solid State Drive Statistics Google Calendar Employee-Employer Relationship Voice over Internet Protocol Staffing Mobile Read Only IT Solutions Cybercrime Cabling Printer Wearable Technology Test PowerPoint Sports Digital Mail Merge Break Fix Cookies Virtualization Administrator VoIP Techology Alerts Wires Security Cameras Computer Repair Law Enforcement CCTV WannaCry Shortcut Black Friday Social Networking Service Level Agreement E-Commerce Firefox Superfish Fraud Star Wars Vulnerabilities Conferencing Webcam Hard Disk Drive Bluetooth Legislation Chatbots Net Neutrality Upgrades Processors WPA3 RMM Virtual Assistant Search Education Spyware Address Dark Web Nanotechnology Avoiding Downtime Licensing Zero-Day Threat Printing Gadget Monitors Augmented Reality Cyber Monday Motherboard Utility Computing Features Cost Management Geography Instant Messaging Mouse Identity Windows 7 WiFi Microsoft Excel Screen Reader Managing Stress Help Desk Travel Disaster Heating/Cooling SharePoint Fleet Tracking Operating System Software as a Service Relocation Cleaning IBM Marketing Regulation Transportation Emergency Competition IP Address Hiring/Firing Miscellaneous Mobile Office Fun Domains Public Speaking Presentation Hard Drives Printers Lithium-ion battery Wireless Technology 5G Safety CrashOverride