Contact Us Today! 1-844-237-4300

Central Technology Solutions Blog

With Phishing Attacks Beating 2FA, You Need to Be Able to Spot Them

With Phishing Attacks Beating 2FA, You Need to Be Able to Spot Them

Unfortunately, one of the most effective defenses against phishing attacks has suddenly become a lot less dependable. This means that you and your users must be ready to catch these attempts instead. Here, we’ll review a few new attacks that can be included in a phishing attempt, and how you and your users can better identify them for yourselves.

How Has Two-Factor Authentication (2FA) Been Defeated?

There are a few different methods that have been leveraged to bypass the security benefits that 2FA is supposed to provide.

On a very basic level, some phishing attacks have been successful in convincing the user to hand over their credentials and the 2FA code that is generated when a login attempt is made. According to Amnesty International, one group of hackers has been sending out phishing emails that link the recipient to a convincing, yet fake, page to reset their Google password. In some cases, fake emails like this can look very convincing, which makes this scheme that much more effective.

As Amnesty International investigated these attacks, they discovered that the attacks were also leveraging automation to automatically launch Chrome and submit whatever the user entered on their end. This means that the 30-second time limit on 2FA credentials was of no concern.

In November 2018, an application on a third-party app store disguised as an Android battery utility tool was discovered to actually be a means of stealing funds from a user’s PayPal account. To do so, this application would alter the device’s Accessibility settings to enable the accessibility overlay feature. Once this was in place, the user’s clicks could be mimicked, allowing an attacker to send funds to their own PayPal account.

Another means of attack was actually shared publicly by Piotr Duszyński, a Polish security researcher. His method, named Modlishka, creates a reverse proxy that intercepts and records credentials as the user attempts to input them into the impersonated website. Modlishka then sends the credentials to the real website, concealing its theft of the user’s credentials. Worse, if the person leveraging Modlishka is present, they can steal 2FA credentials and quickly leverage them for themselves.

How to Protect Yourself Against 2FA Phishing

First and foremost, while it isn’t an impenetrable method, you don’t want to pass up on 2FA completely, although some methods of 2FA are becoming much more preferable than others. At the moment, the safest form of 2FA is to utilize hardware tokens with U2F protocol.

Even more importantly, you need your entire team to be able to identify the signs of a phishing attempt. While attacks like these can make it more challenging, a little bit of diligence can assist greatly in preventing them.

When all is said and done, 2FA fishing is just like regular phishing… there’s just the extra step of replicating the need for a second authentication factor. Therefore, a few general best practices for avoiding any misleading and malicious website should do.

First of  all, you need to double-check and make sure you’re actually on the website you wanted to visit. For instance, if you’re trying to access your Google account, the login url won’t be www - logintogoogle - dot com. Website spoofing is a very real way that (as evidenced above) attackers will try to fool users into handing over credentials.

There are many other signs that a website, or an email, may be an attempt to phish you. Google has actually put together a very educational online activity on one of the many websites owned by Alphabet, Inc. Put your phishing identification skills to the test by visiting, and encourage the rest of your staff to do the same!

For more best practices, security alerts, and tips, make sure you subscribe to our blog, and if you have any other questions, feel free to reach out to our team by calling 1-844-237-4300.

Tip of the Week: Match Word to Your Style
Analytics Can Fool You


No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Saturday, April 20 2019

Captcha Image

Join our mailing list!

  • Company Name *
  • First Name *
  • Last Name *

      Mobile? Grab this Article!

      QR-Code dieser Seite

      Tag Cloud

      Security Tip of the Week Technology Best Practices Cloud Business Computing Email Privacy Malware Hosted Solutions Hackers IT Services Internet Productivity Network Security Data Productivity Data Backup Software Outsourced IT Managed IT Services Business IT Support Innovation Mobile Devices Data Recovery Tech Term Ransomware Computer Hardware Microsoft Google Cloud Computing Backup Small Business Efficiency Internet of Things Business Continuity Managed Service Provider IT Support Upgrade Smartphone Remote Monitoring User Tips Business Management Disaster Recovery Android VoIP Encryption Data Management Social Media Paperless Office Windows 10 Phishing Communication Smartphones Collaboration Browser Workplace Tips Managed IT Windows Artificial Intelligence Facebook BYOD Server Cybersecurity Risk Management Windows 10 Managed IT Services Save Money communications Mobile Device Saving Money Passwords Mobile Device Management Holiday App Network Employer-Employee Relationship Robot Compliance Chrome Bring Your Own Device Bandwidth BDR Applications Vendor Management Apps Office 365 Automation Recovery Gmail Analytics Firewall Government Wi-Fi Document Management Unified Threat Management Big Data Project Management Information Antivirus Money Infrastructure SaaS Data storage Telephone Systems Vulnerability Going Green Hosted Solution Business Technology Website Wireless Microsoft Office Healthcare Password Virtualization Content Filtering IT Management Tip of the week Managed Service Quick Tips Scam Politics Blockchain Social VPN Virtual Reality Work/Life Balance Unified Communications Miscellaneous Customer Relationship Management Computing Data loss Data Security Regulations Training Office IT Service Printing Computers Storage File Sharing Router Tablet Two-factor Authentication Remote Computing Files Settings Help Desk Customer Service Apple Hacker IoT HIPAA Digital Payment Access Control Upgrades Patch Management Websites Identity Theft Mobile Security Networking Wireless Technology Legal Twitter Users Employees Spam Licensing WiFi Virtual Private Network YouTube Company Culture End of Support Health Downtime Network Management Assessment Budget Administration How To Information Technology Monitors Server Management Proactive Electronic Medical Records Machine Learning Mobility LiFi Operating System Alert Education The Internet of Things Mouse Software as a Service Uninterrupted Power Supply Outlook IT solutions Smart Technology Remote Monitoring and Management Maintenance Google Drive Management How To Samsung Net Neutrality Word Flexibility Sports Redundancy Business Growth Remote Workers Chromebook Avoiding Downtime Private Cloud Mobile Computing Tech Support Internet Exlporer Geography Authorization Firefox Cookies Drones Writing Emoji Google Calendar Backups Managed IT Service San Diego Deep Learning Fleet Tracking Network Congestion Procurement Windows 7 Cooperation Heating/Cooling IT Consulting Solid State Drive Mobile Favorites Point of Sale Current Events Test Computer Repair Professional Services Time Management Cache Electronic Health Records Specifications WannaCry High-Speed Internet Physical Security Telephony Security Cameras Permissions Nanotechnology Alt Codes Star Wars Monitoring Retail Cortana Sync Legislation IT Technicians Hacking Break Fix Social Networking Asset Tracking Display Public Cloud Transportation SharePoint Staff Servers Data Breach Cryptocurrency Conferencing 3D Printing Law Enforcement Black Friday Roanoke — Central Technology Solutions MSP RMM Botnet Virtual Assistant Unified Threat Management Hotspot Recycling Cyberattacks Processors Travel Development Office Tips Zero-Day Threat Remote Worker Fraud Screen Reader Typing Utility Computing Consulting Mobile Device Managment Software Tips Disaster Mirgation Trending Hacks Dark Web Motherboard Mail Merge Best Practice OneNote Update Automobile Computer Care Downloads Augmented Reality Technology Laws Bitcoin Managing Stress Instant Messaging Unsupported Software Virus Gadget Cyber Monday VoIP technology services provider Sponsor Tech Terms Wasting Time User Error Language Touchscreen Techology eWaste Read Only Cables Backup and Disaster Recovery GPS ROI Consultation Smart Tech Lenovo Managed Services Provider Social Engineering USB Virtual Desktop Migration Data Warehousing Address Employee-Employer Relationship Operations Statistics Windows 8 Save Time Enterprise Content Management Finance Mobile Data Digital Technology Assurance Group ’s 18 Obstacle Theft Supercomputer Database Computing Infrastructure Disaster Resistance Identities Crowdsourcing Meetings Wires Dark Data Human Error Personal Information Tracking Notes Superfish Cost Management E-Commerce Safety G Suite History Technology Tips Chatbots Search Authentication Taxes Microsoft Excel Modem Google Wallet Connectivity Google Maps Multi-Factor Security Wearable Technology Bluetooth Vulnerabilities Marketing Distributed Denial of Service Spyware Annual Convention Course WPA3 Financial IT Budget Voice over Internet Protocol Printer Alerts Proactive IT Hard Drives Google Docs Enterprise Resource Planning Bookmarks Notifications Humor Permission PowerPoint Buisness Hard Drive Features Black Market Cabling Gadgets Comparison Identity Shortcut IT Consultant Error Regulation Cybercrime Emergency CrashOverride Web Server Cameras Students Motion Sickness CCTV Administrator Teamwork Relocation Printers Shared resources Webcam Hard Disk Drive