Can Hackers Now Bypass Two Factor Authentication?
One of the major challenges for technology is that it’s difficult to tell who is on the other end of a digital device. Is it truly the user who is requesting a massive transfer of funds through their banking app, or did they simply leave their phone unlocked and someone picked it up for a quick buck? While the consumer applications are a frustration, business users and technology leaders are facing the fight of their lives when it comes to defeating hostile actors.
According to Chicago IT services professional, Jeff Hoffman of ACT Networks, “There was a trend over a decade ago for large organizations to have a physical key for authentication of their accounts, and that has mostly gone by the wayside (although Google still uses them).”
Phishing is one of the biggest concerns for IT security professionals today, states Bill Tobey from HitsTech in Raleigh, NC. Even relatively low-level hackers are able to successfully infiltrate a business’s ecosystem through this type of attack — and a new set of automated tools can now defeat two-factor authentication (2FA). See how creative cybercriminals are getting around the one-two punch of 2FA.
Why Are Phishing Attacks So Common?
Microsoft’s security team closely tracks trends in the cyber landscape, and a recent review of their Security Intelligence Reports shows that phishing attacks are on the rise. In fact, phishing is now the number one cybersecurity threat to business — handily bypassing ransomware and malware. What’s more frightening is that the phishing attacks are growing in sophistication, showing that these cybercriminals are becoming more mainstream and consistent with their attacks.
Phishing attacks come in a variety of different flavors:
- Simple emails requesting a user log into their bank or other financial accounts, while the user is actually accessing a complex fake site that is nearly indistinguishable from the original
- Social engineering, where cyberattackers take the time to get to know their prey — their habits, their family members and more
- Fake cloud storage links that download an attack vector
- Engineered attachments that appear similar to those used by a trusted vendor
- Emails that appear to come from a known associate or partner — but you’ll find that the email domain is off by a letter or two when you look closely (“Microsft.com” instead of “Microsoft.com”, for instance)
Once cybercriminals gain access to your systems or sensitive information, they are able to capture additional details that can then be sold on the dark web. With all the ways that hackers can infiltrate your system through phishing attacks, it’s no surprise that these attacks are so incredibly common.
Bypassing Advanced Security Measures
While users may complain a bit about two-factor authentication, until recently it has provided a relatively easy way to secure accounts that contain sensitive information. With 2FA, users not only enter their username and password, but they must also retrieve a passcode that is texted to a known phone number. A new automated phishing attack can now break through this security layer without requiring users to take the additional step — a dirty trick against users. This particular hack utilizes two hacking tools — Muraena and NecroBrowser — which work together to defeat the added level of security that has been added to a user’s account.
Here’s how they work:
- Muraena steps between a user and the legitimate website they attempted to access, redirecting the user to a website that looks like the genuine article. Once there, users enter their login credentials as they would expect. It’s what happens next that is the big problem. The authenticated cookie for the user is quickly passed to the second half of the dynamic duo: NecroBrowser.
- NecroBrowser utilizes the login credentials to track private accounts and information for the victims
While together these tools can provide access to your systems even with two-factor authentication, 2FA is still considered vastly superior to simply utilizing a password and user name. The best way to avoid being the victim of this type of attack is to be constantly vigilant about the links that you click, files that you open and emails that you respond to throughout the web. And of course — never enter private information on a website over non-secure connections such as via public WiFi.