Contact Us Today! 1-844-237-4300

Central Technology Solutions Blog

With Phishing Attacks Beating 2FA, You Need to Be Able to Spot Them

With Phishing Attacks Beating 2FA, You Need to Be Able to Spot Them

Unfortunately, one of the most effective defenses against phishing attacks has suddenly become a lot less dependable. This means that you and your users must be ready to catch these attempts instead. Here, we’ll review a few new attacks that can be included in a phishing attempt, and how you and your users can better identify them for yourselves.

How Has Two-Factor Authentication (2FA) Been Defeated?

There are a few different methods that have been leveraged to bypass the security benefits that 2FA is supposed to provide.

On a very basic level, some phishing attacks have been successful in convincing the user to hand over their credentials and the 2FA code that is generated when a login attempt is made. According to Amnesty International, one group of hackers has been sending out phishing emails that link the recipient to a convincing, yet fake, page to reset their Google password. In some cases, fake emails like this can look very convincing, which makes this scheme that much more effective.

As Amnesty International investigated these attacks, they discovered that the attacks were also leveraging automation to automatically launch Chrome and submit whatever the user entered on their end. This means that the 30-second time limit on 2FA credentials was of no concern.

In November 2018, an application on a third-party app store disguised as an Android battery utility tool was discovered to actually be a means of stealing funds from a user’s PayPal account. To do so, this application would alter the device’s Accessibility settings to enable the accessibility overlay feature. Once this was in place, the user’s clicks could be mimicked, allowing an attacker to send funds to their own PayPal account.

Another means of attack was actually shared publicly by Piotr Duszyński, a Polish security researcher. His method, named Modlishka, creates a reverse proxy that intercepts and records credentials as the user attempts to input them into the impersonated website. Modlishka then sends the credentials to the real website, concealing its theft of the user’s credentials. Worse, if the person leveraging Modlishka is present, they can steal 2FA credentials and quickly leverage them for themselves.

How to Protect Yourself Against 2FA Phishing

First and foremost, while it isn’t an impenetrable method, you don’t want to pass up on 2FA completely, although some methods of 2FA are becoming much more preferable than others. At the moment, the safest form of 2FA is to utilize hardware tokens with U2F protocol.

Even more importantly, you need your entire team to be able to identify the signs of a phishing attempt. While attacks like these can make it more challenging, a little bit of diligence can assist greatly in preventing them.

When all is said and done, 2FA fishing is just like regular phishing… there’s just the extra step of replicating the need for a second authentication factor. Therefore, a few general best practices for avoiding any misleading and malicious website should do.

First of  all, you need to double-check and make sure you’re actually on the website you wanted to visit. For instance, if you’re trying to access your Google account, the login url won’t be www - logintogoogle - dot com. Website spoofing is a very real way that (as evidenced above) attackers will try to fool users into handing over credentials.

There are many other signs that a website, or an email, may be an attempt to phish you. Google has actually put together a very educational online activity on one of the many websites owned by Alphabet, Inc. Put your phishing identification skills to the test by visiting https://phishingquiz.withgoogle.com/, and encourage the rest of your staff to do the same!

For more best practices, security alerts, and tips, make sure you subscribe to our blog, and if you have any other questions, feel free to reach out to our team by calling 1-844-237-4300.

Tip of the Week: Match Word to Your Style
Analytics Can Fool You
 

Comments

No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Guest
Thursday, June 20 2019

Captcha Image

Join our mailing list!

  • Company Name *
  • First Name *
  • Last Name *

      Mobile? Grab this Article!

      QR-Code dieser Seite

      Tag Cloud

      Security Tip of the Week Technology Best Practices Cloud Business Computing Email Productivity Hosted Solutions Malware Privacy IT Services Hackers Network Security Internet Data Software Outsourced IT Productivity Data Backup Managed IT Services Business IT Support Innovation Microsoft Mobile Devices Hardware Ransomware Data Recovery Computer Tech Term Cloud Computing Google Small Business Efficiency IT Support Backup Collaboration Managed Service Provider Business Continuity User Tips Internet of Things Smartphone Android Upgrade Communication Business Management Remote Monitoring Smartphones Paperless Office Disaster Recovery VoIP Windows 10 Data Management Phishing Windows 10 Encryption Social Media Server Windows Workplace Tips Browser Managed IT Managed IT Services Artificial Intelligence Risk Management Mobile Device BYOD Cybersecurity communications Facebook Save Money Passwords App Office 365 Mobile Device Management Holiday Saving Money Unified Threat Management Wi-Fi Document Management Quick Tips Employer-Employee Relationship Robot Compliance Apps Bring Your Own Device Gmail Managed Service BDR Business Technology Vendor Management Password Network Automation Recovery Analytics Virtualization Chrome Applications Government Firewall Bandwidth Healthcare Scam Hosted Solution Antivirus Website Project Management Infrastructure Money Telephone Systems Content Filtering SaaS Data storage Going Green Vulnerability Information Blockchain Wireless Microsoft Office File Sharing Big Data IT Management Help Desk Tip of the week Customer Service Apple Two-factor Authentication Politics Router Social Work/Life Balance VPN Virtual Reality Miscellaneous Customer Relationship Management Computing Data loss Data Security Regulations Training Office IT Service Printing Computers Storage Tablet Unified Communications Remote Computing Users Files Settings Downtime Mobile Computing Software as a Service Tech Support The Internet of Things Hacker Administration LiFi Maintenance Management Education Smart Technology Digital Payment Remote Monitoring and Management Upgrades Patch Management Websites Identity Theft Wireless Technology Legal Networking Twitter Net Neutrality Remote Workers IT solutions Licensing Virtual Private Network Internet Exlporer End of Support Health Network Management IoT HIPAA Budget Assessment Sports Access Control Cooperation Information Technology How To Monitors Server Management Mobile Security Electronic Medical Records Gadgets Machine Learning Mobility Operating System Alert Outlook Uninterrupted Power Supply Mouse Employees Consultation Company Culture Google Drive RMM How To Samsung Word Spam Flexibility YouTube Business Growth Redundancy Chromebook WiFi Avoiding Downtime Private Cloud Proactive Cabling Humor Managed Services Provider Shortcut Migration Cables Backup and Disaster Recovery Black Market Smart Tech Employee-Employer Relationship Wasting Time Operations Drones Enterprise Content Management Finance Firefox Writing Emoji Proactive Maintenance Data Warehousing Backups ROI Computing Infrastructure Point of Sale Deep Learning Network Congestion Solid State Drives Technology Assurance Group ’s 18 Solid State Drive Theft Heating/Cooling IT Consulting Cybercrime Current Events Cost Management E-Commerce WannaCry Computer Repair Teamwork Virtual Desktop Technology Tips Chatbots Wires Human Error Time Management Connectivity Hacking Physical Security Database Multi-Factor Security Wearable Technology Telephony Alt Codes Vulnerabilities Authentication Retail Cortana Database Management Microsoft Excel Modem Sync 3D Printing Notes Printer Alerts Law Enforcement Enterprise Resource Planning Bookmarks Display Options Distributed Denial of Service Annual Convention Public Cloud Cryptocurrency WPA3 Financial Servers Data Breach Travel Hard Drive Features Shared resources Comparison Identity Botnet Permission Processors Disaster Trending Office Tips Voice over Internet Protocol Google Calendar Typing Geography Authorization Cookies Mobile Device Managment Software Tips Hacks Unsupported Software Virus PowerPoint Gadget Best Practice Mobile Favorites Mail Merge Update Marketing 5G Managed IT Service San Diego Automobile Computer Care Bitcoin Fleet Tracking Procurement Technology Laws Cache Electronic Health Records VoIP Sponsor OneDrive Specifications Test Touchscreen Techology Buisness Star Wars Monitoring Windows 7 Legislation IT Technicians GPS High-Speed Internet Lenovo Social Engineering USB Permissions Nanotechnology Statistics Mobile Data Professional Services SharePoint Staff Conferencing Address Wireless Internet Break Fix Social Networking Windows 8 Save Time Asset Tracking Unified Threat Management Hotspot Crowdsourcing Meetings Recycling Cyberattacks Digital Obstacle Manufacturing Black Friday Roanoke — Central Technology Solutions Supercomputer Identities MSP Disaster Resistance Security Cameras Utility Computing Consulting Search Dark Data Personal Information Transportation Mirgation Tracking Development Zero-Day Threat Superfish Safety Fraud Screen Reader G Suite History Bluetooth Virtual Assistant Downloads Augmented Reality Taxes Google Wallet Managing Stress Instant Messaging Employer/Employee Relationships Dark Web Motherboard Google Maps OneNote Remote Worker User Error Language eWaste Read Only Spyware Course Hard Disk Drives Cyber Monday technology services provider IT Budget Hard Drives Google Docs Tech Terms Proactive IT Notifications Hard Disk Drive Students IT Consultant Printers Error Emergency Web Server CrashOverride GDPR Cameras Motion Sickness Regulation CCTV Administrator Relocation Webcam