facebook linkedin twitter

Computerware Blog

Phishing Attacks Are Besting Two-Factor Authentication--Now What?

Phishing Attacks Are Besting Two-Factor Authentication--Now What?

What has proven to be one of the more effective ways of preventing phishing attacks may be under fire from more advanced threats designed specifically to penetrate the defenses of two-factor authentication. This means that users need to be more cognizant of avoiding these attacks, but how can you help them make educated decisions about this? Let’s start by discussing the phishing attacks that can beat 2FA.

How Has Two-Factor Authentication (2FA) Been Defeated?

There are several methods used by hackers to bypass the security benefits of 2FA. Some phishing attempts have managed to find success in convincing users to have over both their credentials and the 2FA code that is generated by a login attempt. As reported by Amnesty International, one group of hackers has been sending out phishing emails that link the recipient to a convincing fake page to reset their Google password. Sometimes fake emails can be quite convincing, making the trickery much more difficult to identify.

As Amnesty International looked into the attacks, they found that the attacks were using an automated solution to launch Chrome and submit information the user entered into their end. This meant that the 30-second time limit imposed by 2FA was of no concern.

In November 2018, an application on a third-party app store posed as an Android battery utility tool was found to be stealing funds from a user’s PayPal account. The application would change the device’s Accessibility settings to enable an accessibility overlay feature. Once it was in place, the user’s clicks would be mimicked, giving hackers the ability to send funds to their own PayPal account.

Yet another method of attack was shared publicly by Piotr Duszynski, a Polish security researcher. This method, named Modlishka, created a reverse proxy that intercepted and recorded credentials as the user attempted to plug them into an impersonated website. Modlishka would then send the credentials to the real website to hide the fact that the user’s credentials were in fact stolen. Even worse yet, if the person using Modlishka is nearby, they can steal the 2FA credentials and use them very quickly.

Protect Yourself Against 2FA Phishing Schemes

The first step toward preventing 2FA phishing attacks is to make sure you actually have 2FA implemented in the first place. While it might not seem like much of a help (after all, these attacks are designed to work around them), it is much preferable to not having 2FA at all. The most secure method of 2FA at the moment uses hardware tokens with U2F protocol. Most important of all, however, is that your team needs to be trained on the giveaway signs of phishing attacks. With these attempts that target 2FA solutions, it might not be immediately apparent, which is why it’s all the more important to remain vigilant.

At its heart, 2FA phishing is just like regular phishing, plus an additional step to bypass or replicate the secondary authentication method. Here are a few tips to ensure best practices are followed regarding phishing attempts:

  • First, check to make sure that the website you’re using is actually the one it claims to be. For example, if you’re logging in to your Google account, the login URL wouldn’t be something like logintogoogle.com. You wouldn’t believe how often spoofers will fool users in this way.
  • To help you better understand other signs of phishing attacks, check out this phishing identification skills quiz by Alphabet, Inc. We encourage your staff also look into it.

To learn more about phishing attacks, be sure to subscribe to our blog.

Tip of the Week: Using Cloud Services for Your Bus...
Interpreting Analytics Isn’t Always Cut and Dry


No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Wednesday, January 29, 2020

Captcha Image

Mobile? Grab this Article!

QR-Code dieser Seite

Tag Cloud

Security Tip of the Week Technology Best Practices Privacy Business Computing Internet Cloud Software Business Management Hackers Data Microsoft Hardware Workplace Tips Backup Network Security Managed Service Provider Business Productivity Hosted Solutions Email Malware IT Services Saving Money Efficiency Productivity Computer Google User Tips IT Support Smartphones Innovation Small Business Mobile Devices Data Backup Quick Tips VoIP IT Support Collaboration Network Gadgets communications Microsoft Office Business Continuity Social Media Android Data Recovery Upgrade Disaster Recovery Server Cybersecurity Mobile Office Communication Virtualization Smartphone Mobile Device Management Miscellaneous Phishing Holiday Ransomware Operating System Tech Term Passwords Windows Windows 10 Outsourced IT Unified Threat Management Vendor Management Remote Monitoring Managed IT Services Apps Facebook Automation Internet of Things BDR Mobile Device Users BYOD Remote Computing Apple Mobile Computing Managed IT services Analytics Data Management WiFi History Artificial Intelligence The Internet of Things Marketing Windows 10 Firewall Browser Save Money Alert App Big data Cloud Computing Help Desk Office 365 Training IT Consultant Two-factor Authentication Bandwidth Business Technology Spam Encryption Antivirus Printer Office Health Content Filtering Gmail Information Technology Managed IT Going Green Government Cybercrime Hard Drives Bring Your Own Device Maintenance Computers Saving Time Information Search VPN Virus Tech Support Budget Access Control Windows 7 Best Practice Lithium-ion Battery Managed Service Employer-Employee Relationship Outlook Windows 8 Hiring/Firing Retail Cost Management Wireless Technology Travel Education Healthcare Update Phone System iPhone Customer Service It Management Blockchain Data Loss IBM Recovery Money Document Management Project Management Humor Networking Hacking Administration Hacker Regulations Intranet Twitter Avoiding Downtime SaaS Computing Risk Management File Sharing Current Events Hard Drive Law Enforcement Applications Patch Management Save Time Solid State Drive Compliance Mobility Website Conferencing Data storage Downtime Customer Relationship Management Augmented Reality PowerPoint Data Breach Password Proactive IT Value Running Cable Legal Management Telephony Websites Machine Learning Paperless Office Vulnerabilities Telephone Systems Sports Cooperation Vendor Disaster User Hosted Solution Virtual Desktop End of Support Social Robot Wireless Data Security Securty Google Maps DDoS Business Intelligence Excel Digital Payment Storage Social Engineering Router Scam Black Market Flexibility Voice over Internet Protocol Cryptocurrency Fax Server Word Comparison Tablet Monitoring Laptop Company Culture Private Cloud Cortana Business Growth Computer Repair Digital Social Networking Programming Statistics Office Tips Multi-factor Authentication Telephone Processors Start Menu Tech Terms Microchip Taxes Network Congestion Distributed Denial of Service USB Managed IT Service Mobile Technology YouTube Software as a Service Unified Communications Settings Presentation Public Cloud Licensing Inbound Marketing Uninterrupted Power Supply Streaming Media Specifications Safety Vulnerability Processor Bitcoin Identity Theft Documents Data Protection Net Neutrality Pain Points IT service Entertainment Chrome User Error Teamwork Heating/Cooling Co-managed IT Distribution Professional Services Virtual Reality Downloads Politics Automobile Emails Bluetooth Computer Accessories Chromebook Redundancy Lifestyle Computing Infrastructure Hack Memory How To eWaste Trending Google Docs Meetings Gaming Console Mouse Experience Download Managed Services Provider Evernote Virtual Assistant Cleaning Wi-Fi Webcam Monitors Text Messaging Advertising Flash Microserver External Harddrive Environment Dark Web Free Resource Audit CIO Supercomputer HIPAA SSID How To Fake News Wireless Headphones Worker Electronic Payment Health IT Employee/Employer Relationship Staffing Google Wallet Migration Connected Devices Competition Processing Managed Services Data Warehousing Point of Contact Windows XP Business Owner Ebay Logistics Virtual Machines Emergency Hard Drive Disposal Society Get More Done IT Assessment Network Management Thin CLient Wasting Time Access Displays Equifax Fleet Tracking Reading Samsung 3D Microsoft Excel Turn Key G Suite Smart Phones Bookmark Computer Care Micrsooft Printer Server Device security MSP Employer Employee Relationship IP Address Cyber security Nanotechnology Social Network Human Resources Employer/Employee Relationships Recycling Drones Trojan Desktop Finance Hacks Physical Security Application Google Play Telephone Service Google Drive Windows Server 2008 Analytic Adminstration Pirating Information Microsoft 365 Business Cards Service Level Agreement Banking Botnet Leadership Managing Costs Spyware Mobile Payment Product Reviews Organize Startup Asset Tracking Relocation Tablets Read Permissions Language Memes Unified Threat Management Backup and Disaster Recovery Sync Browsers Electricity Printing Username Medical IT Trend Micro Screen Reader Customer Resource management User Tip Proactive Maintenance Gamification Notifications CCTV Digital Signature Security Cameras Threats Reliable Computing Solutions Device Management Music Piracy Upload Business Metrics Computer Malfunction Navigation Virtual Machine cache Television switches Writing Smart Tech eCommerce Content Management IT Fiber-Optic Database In Internet of Things Data Analysis Employees WannaCry Business Managemenet Upgrades Webinar HTML Telephone System PDF SQL Server Corporate Profile Mobile Security Upselling GDPR Managing Risk Time Management Freedom of Information LiFi Scalability Video Surveillance Integration online Currency Software License Trends Motion Sickness Best Available Keyboard Tech Hypervisor Assessment SharePoint Multi-Factor Security Cost Holidays Tip of the week Work/Life Balance Smart Devices Fraud Tactics Saving ZTime Fileless Malware Hybrid Cloud Google Calendar Deep Learning Devices Messenger Tracking Domains Visible Light Communication Proxy Server Azure VoIP LinkedIn UTM Content Rental Service Public Speaking Modem Strategy Touchscreen News Legislation Error Cabling Debate Electronic Medical Records Transportation Knowledge Best Practives IT Plan Enterprise Resource Planning Web Server Harddrive Shortcut Term Consultation IT consulting Recording Optimization Archive Communitications email scam Addiction Administrator Entrepreneur Directions Display Technology Tips Skype Accountants A.I. Books Workers GPS Troubleshooting Capital Personal Information Productuvuty Financial Printers Managing Stress CrashOverride Regulation 3D Printing