facebook linkedin twitter

Computerware Blog

Phishing Attacks Are Besting Two-Factor Authentication--Now What?

Phishing Attacks Are Besting Two-Factor Authentication--Now What?

What has proven to be one of the more effective ways of preventing phishing attacks may be under fire from more advanced threats designed specifically to penetrate the defenses of two-factor authentication. This means that users need to be more cognizant of avoiding these attacks, but how can you help them make educated decisions about this? Let’s start by discussing the phishing attacks that can beat 2FA.

How Has Two-Factor Authentication (2FA) Been Defeated?

There are several methods used by hackers to bypass the security benefits of 2FA. Some phishing attempts have managed to find success in convincing users to have over both their credentials and the 2FA code that is generated by a login attempt. As reported by Amnesty International, one group of hackers has been sending out phishing emails that link the recipient to a convincing fake page to reset their Google password. Sometimes fake emails can be quite convincing, making the trickery much more difficult to identify.

As Amnesty International looked into the attacks, they found that the attacks were using an automated solution to launch Chrome and submit information the user entered into their end. This meant that the 30-second time limit imposed by 2FA was of no concern.

In November 2018, an application on a third-party app store posed as an Android battery utility tool was found to be stealing funds from a user’s PayPal account. The application would change the device’s Accessibility settings to enable an accessibility overlay feature. Once it was in place, the user’s clicks would be mimicked, giving hackers the ability to send funds to their own PayPal account.

Yet another method of attack was shared publicly by Piotr Duszynski, a Polish security researcher. This method, named Modlishka, created a reverse proxy that intercepted and recorded credentials as the user attempted to plug them into an impersonated website. Modlishka would then send the credentials to the real website to hide the fact that the user’s credentials were in fact stolen. Even worse yet, if the person using Modlishka is nearby, they can steal the 2FA credentials and use them very quickly.

Protect Yourself Against 2FA Phishing Schemes

The first step toward preventing 2FA phishing attacks is to make sure you actually have 2FA implemented in the first place. While it might not seem like much of a help (after all, these attacks are designed to work around them), it is much preferable to not having 2FA at all. The most secure method of 2FA at the moment uses hardware tokens with U2F protocol. Most important of all, however, is that your team needs to be trained on the giveaway signs of phishing attacks. With these attempts that target 2FA solutions, it might not be immediately apparent, which is why it’s all the more important to remain vigilant.

At its heart, 2FA phishing is just like regular phishing, plus an additional step to bypass or replicate the secondary authentication method. Here are a few tips to ensure best practices are followed regarding phishing attempts:

  • First, check to make sure that the website you’re using is actually the one it claims to be. For example, if you’re logging in to your Google account, the login URL wouldn’t be something like logintogoogle.com. You wouldn’t believe how often spoofers will fool users in this way.
  • To help you better understand other signs of phishing attacks, check out this phishing identification skills quiz by Alphabet, Inc. We encourage your staff also look into it.

To learn more about phishing attacks, be sure to subscribe to our blog.

Tip of the Week: Using Cloud Services for Your Bus...
Interpreting Analytics Isn’t Always Cut and Dry
 

Comments

No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Guest
Wednesday, June 26, 2019

Captcha Image

Mobile? Grab this Article!

QR-Code dieser Seite

Tag Cloud

Security Tip of the Week Technology Best Practices Privacy Internet Cloud Business Computing Business Management Software Hackers Data Microsoft Backup Workplace Tips Hardware Managed Service Provider Productivity Network Security Email Business Hosted Solutions Saving Money Malware IT Services Efficiency Google IT Support User Tips Small Business Computer Smartphones Innovation Mobile Devices Quick Tips Productivity VoIP Social Media Business Continuity Gadgets Android Microsoft Office Network Collaboration Disaster Recovery Data Backup Mobile Office Server Communication communications Data Recovery Virtualization Smartphone IT Support Upgrade Mobile Device Management Miscellaneous Windows 10 Phishing Tech Term Cybersecurity Ransomware Unified Threat Management Windows Facebook Remote Monitoring Vendor Management Passwords Apps Operating System Holiday Managed IT services Users Mobile Computing Analytics Automation BYOD Remote Computing WiFi BDR Mobile Device Internet of Things Apple The Internet of Things Data Management Outsourced IT Marketing Firewall History Managed IT Services Artificial Intelligence App Save Money Alert Browser Cloud Computing Encryption Big data Spam IT Consultant Printer Content Filtering Windows 10 Health Going Green Office 365 Help Desk Bring Your Own Device Two-factor Authentication Antivirus Gmail Bandwidth Business Technology Office Maintenance Employer-Employee Relationship Cybercrime Tech Support Virus Lithium-ion Battery Best Practice Information Technology Cost Management Hiring/Firing Training Hard Drives Budget Wireless Technology Windows 8 Computers Outlook Saving Time Search Managed IT Government Update Hacking Networking IBM Information Money Phone System Document Management Healthcare Access Control Customer Service It Management VPN Travel Blockchain Education Recovery Risk Management iPhone Password Legal Save Time Downtime Regulations Augmented Reality PowerPoint SaaS Running Cable Proactive IT File Sharing Administration Hard Drive Law Enforcement Applications Twitter Intranet Managed Service Mobility Website Compliance Avoiding Downtime Humor Data storage Flexibility Scam Black Market Retail Cryptocurrency Word Data Breach Laptop Business Intelligence Private Cloud Cortana Business Growth Value Digital Payment Project Management Excel Digital Telephony Hacker Websites Router Management Customer Relationship Management Machine Learning Comparison Tablet Current Events Paperless Office Vulnerabilities Telephone Systems Company Culture Sports Computing Computer Repair Disaster User End of Support Social Networking Hosted Solution Social Robot Fax Server Wireless Data Security Securty Google Maps DDoS Patch Management Solid State Drive Data Loss Social Engineering Chromebook Voice over Internet Protocol Redundancy Computing Infrastructure Hack Pain Points Monitoring How To eWaste Google Docs Net Neutrality Evernote Experience Chrome Download Virtual Assistant Cleaning Monitors Office Tips Processors Start Menu Tech Terms Computer Accessories Microchip Taxes Distributed Denial of Service USB Mobile Technology YouTube Co-managed IT Presentation Gaming Console Cooperation Software as a Service Unified Communications Settings User Error Trending Public Cloud Vendor Uninterrupted Power Supply Mouse Specifications Safety Text Messaging Vulnerability Virtual Desktop Webcam Bitcoin Programming Identity Theft Statistics Windows 7 IT service Network Congestion Lifestyle Documents Data Protection Distribution Entertainment Teamwork Heating/Cooling Politics Storage Virtual Reality Downloads Bluetooth Streaming Media Conferencing Automobile Inbound Marketing Emails Assessment SharePoint Product Reviews Multi-Factor Security Cost Scalability Microserver Adminstration Integration Pirating Information Software License Trends Motion Sickness Best Available Keyboard Tech Leadership Devices Messenger Tracking Domains Tip of the week Work/Life Balance Read Fraud Tactics Fileless Malware Google Calendar Deep Learning Meetings Public Speaking Modem Touchscreen News Visible Light Communication Memory Get More Done Proxy Server Azure VoIP UTM Content Rental Service Consultation IT consulting Legislation Error Cabling Turn Key Electronic Medical Records Transportation Knowledge Device Management IT Plan Enterprise Resource Planning Web Server Printer Server Shortcut Term Business Managemenet Accountants A.I. Books Workers Troubleshooting Recording Content Management email scam Addiction Wi-Fi Administrator Trojan Entrepreneur Directions Technology Tips Supercomputer Organize HIPAA Upselling SSID Fake News Advertising Flash Environment Dark Web Audit CIO Multi-factor Authentication Processing Data Warehousing Windows XP Wireless Headphones Telephone Worker Electronic Payment Health IT Employee/Employer Relationship Video Surveillance Staffing Google Wallet online Currency Migration Connected Devices Competition Displays Equifax Fleet Tracking Reading Samsung Business Owner Logistics Emergency Hard Drive Disposal Society Network Management Managed IT Service Saving ZTime Access MSP Employer Employee Relationship IP Address Microsoft Excel G Suite Bookmark Computer Care Micrsooft LinkedIn Device security Harddrive Google Play Google Drive Windows Server 2008 Nanotechnology Social Network Licensing Human Resources Employer/Employee Relationships Debate Drones Desktop Finance Hacks Physical Security Webinar Application Skype Startup Asset Tracking Relocation Tablets GPS Microsoft 365 Archive Business Cards Service Level Agreement Banking Botnet Processor Spyware Mobile Payment Username Medical IT Permissions Language Unified Threat Management Backup and Disaster Recovery Sync External Harddrive Browsers Electricity Printing Security Cameras Point of Contact Screen Reader Customer Resource management User Tip Proactive Maintenance Gamification Notifications CCTV Digital Signature Television switches Writing Smart Tech Reliable Computing 3D Solutions Ebay Music Piracy Upload Business Metrics Computer Malfunction Navigation Thin CLient cache HTML Professional Services Fiber-Optic Database In Internet of Things Best Practives Smart Phones Data Analysis WannaCry Upgrades GDPR Time Management Freedom of Information LiFi Analytic Telephone System PDF SQL Server Corporate Profile Recycling Mobile Security Regulation CrashOverride 3D Printing Capital Productuvuty Printers Managing Stress

toner1