Get Started Today!  217-475-0226

croom new

Decatur Computers Inc. Blog

Phishing Attacks Are Besting Two-Factor Authentication--Now What?

Phishing Attacks Are Besting Two-Factor Authentication--Now What?

What has proven to be one of the more effective ways of preventing phishing attacks may be under fire from more advanced threats designed specifically to penetrate the defenses of two-factor authentication. This means that users need to be more cognizant of avoiding these attacks, but how can you help them make educated decisions about this? Let’s start by discussing the phishing attacks that can beat 2FA.

How Has Two-Factor Authentication (2FA) Been Defeated?

There are several methods used by hackers to bypass the security benefits of 2FA. Some phishing attempts have managed to find success in convincing users to have over both their credentials and the 2FA code that is generated by a login attempt. As reported by Amnesty International, one group of hackers has been sending out phishing emails that link the recipient to a convincing fake page to reset their Google password. Sometimes fake emails can be quite convincing, making the trickery much more difficult to identify.

As Amnesty International looked into the attacks, they found that the attacks were using an automated solution to launch Chrome and submit information the user entered into their end. This meant that the 30-second time limit imposed by 2FA was of no concern.

In November 2018, an application on a third-party app store posed as an Android battery utility tool was found to be stealing funds from a user’s PayPal account. The application would change the device’s Accessibility settings to enable an accessibility overlay feature. Once it was in place, the user’s clicks would be mimicked, giving hackers the ability to send funds to their own PayPal account.

Yet another method of attack was shared publicly by Piotr Duszynski, a Polish security researcher. This method, named Modlishka, created a reverse proxy that intercepted and recorded credentials as the user attempted to plug them into an impersonated website. Modlishka would then send the credentials to the real website to hide the fact that the user’s credentials were in fact stolen. Even worse yet, if the person using Modlishka is nearby, they can steal the 2FA credentials and use them very quickly.

Protect Yourself Against 2FA Phishing Schemes

The first step toward preventing 2FA phishing attacks is to make sure you actually have 2FA implemented in the first place. While it might not seem like much of a help (after all, these attacks are designed to work around them), it is much preferable to not having 2FA at all. The most secure method of 2FA at the moment uses hardware tokens with U2F protocol. Most important of all, however, is that your team needs to be trained on the giveaway signs of phishing attacks. With these attempts that target 2FA solutions, it might not be immediately apparent, which is why it’s all the more important to remain vigilant.

At its heart, 2FA phishing is just like regular phishing, plus an additional step to bypass or replicate the secondary authentication method. Here are a few tips to ensure best practices are followed regarding phishing attempts:

  • First, check to make sure that the website you’re using is actually the one it claims to be. For example, if you’re logging in to your Google account, the login URL wouldn’t be something like logintogoogle.com. You wouldn’t believe how often spoofers will fool users in this way.
  • To help you better understand other signs of phishing attacks, check out this phishing identification skills quiz by Alphabet, Inc. We encourage your staff also look into it.

To learn more about phishing attacks, be sure to subscribe to our blog.

Tip of the Week: Using Cloud Services for Your Bus...
Interpreting Analytics Isn’t Always Cut and Dry
 

Comments

No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Guest
Friday, April 19 2019
If you'd like to register, please fill in the username, password and name fields.

Captcha Image

Mobile? Grab this Article!

Qr Code

Tag Cloud

Tip of the Week Security Technology Best Practices Business Computing Privacy Network Security Tech Term Hackers Productivity User Tips IT Support Innovation Software Efficiency Data Data Backup Cybersecurity Google Android Business Management Malware Computer Email Data Recovery Internet Small Business Communications Smartphone Collaboration Communication IT Services Windows 10 Hardware Cloud Hosted Solutions Backup Phishing Ransomware Artificial Intelligence Managed IT Services Mobile Device VoIp Social Media Mobile Devices BDR Facebook IT Management Automation Microsoft Office Business Browser Outsourced IT Business Technology Cloud Computing Information App Two-factor Authentication Network Smartphones Blockchain Cybercrime Access Control Office 365 Managed Service Cost Management Mobile Device Management Applications Saving Money Disaster Recovery Scam Websites Encryption Server Workplace Tips Internet of Things Analytics Maintenance Microsoft Hard Drive Passwords Antivirus Apps Update Vulnerabilities Gadgets Data Management Holiday Managed IT Services Patch Management Data Security VPN Printer Start Menu Vendor Laptop Vulnerability Bitcoin Save Money Operating System Mobility Conferencing Social Engineering Alert Virtual Assistant Data loss Remote Monitoring Tech Terms Hacking Apple Quick Tips Business Continuity Law Enforcement Gmail Upgrade Cooperation Project Management Money Saving Time Data Breach Search Spam Word Managed Service Provider Big Data Augmented Reality Document Management Touchscreen Digital Google Maps Data Protection Bandwidth Healthcare Users SaaS Windows Mobile Security Machine Learning Proxy Server Settings Networking Freedom of Information Legislation Tech Business Mangement Solutions Cortana Professional Services Mouse Accountants Microchip iPhone Unified Communications Company Culture Modem Redundancy Budget HTML Trends Running Cable Spyware Audit Cleaning Social Network IBM Paperless Office Network Management Help Desk Administration Knowledge Business Cards News Virtualization Monitoring Solid State Drive Term Integration Printing Identity Theft Sports Tablet Software as a Service DDoS eWaste Training Travel Processor Retail Customer Resource management Corporate Profile SSID Time Management Samsung Gamification Cabling Entertainment Upgrades Information Technology Computers Managed IT Multi-factor Authentication Database Service Level Agreement Employer-Employee Relationship Vendor Management Unified Threat Management Fake News Management Google Play Government Desktop Chromebook How to Robot Equifax Username Navigation Password Telephone System Comparison Devices Data Analysis Computer Care Mobile Technology Excel Nanotechnology Google Calendar Device security Tactics Going Green Downtime Emails Computing Uninterrupted Power Supply Security Cameras Google Drive Legal Backup and Disaster Recovery User Tip Virus WiFi SharePoint Startup Evernote Windows 7 Automobile Electronic Medical Records Medical IT Unified Threat Management Hard Drive Disposal Specifications Compliance Content Worker Fileless Malware Telephone Systems Tip of the week IT Support Outlook Website Download Bookmark Best Practice Piracy Microsoft Excel Bluetooth Error Social Telephony Downloads Twitter Addiction YouTube Wireless Disaster Computing Infrastructure Distributed Denial of Service Miscellaneous Vendor Mangement Microsoft 365 Health IT PowerPoint Emergency email scam Television Regulations BYOD Directions Voice over Internet Protocol Consultant Virtual Reality Screen Reader Google Docs Upload Browsers Access Unsupported Software Software License Cryptocurrency Wireless Headphones Telephone History Router VoIP Regulation CrashOverride Transportation Managing Stress Windows 10 Marketing Multi-Factor Security Office Printers Office Tips

Latest Blog

The capabilities of business technology are truly incredible, and they’re only becoming more impressive. This means that the solutions you have in place now will certainly need to be upgraded to other options at some point.

Latest News

Decatur Computers Inc. is proud to announce the launch of our new website at http://www.decaturcomputers.com. The goal of the new website is to make it easier for our existing clients to submit and manage support requests, and provide more information about our services for prospective clients.