Contact us today!
(800) 588-4430

Telesys Voice and Data Blog

Telesys Voice and Data has been serving the Dallas/Fort Worth area since 1994, providing IT Support such as technical helpdesk support, computer support, and consulting to small and medium-sized businesses.

With Phishing Attacks Beating 2FA, You Need to Be Able to Spot Them

With Phishing Attacks Beating 2FA, You Need to Be Able to Spot Them

Unfortunately, one of the most effective defenses against phishing attacks has suddenly become a lot less dependable. This means that you and your users must be ready to catch these attempts instead. Here, we’ll review a few new attacks that can be included in a phishing attempt, and how you and your users can better identify them for yourselves.

How Has Two-Factor Authentication (2FA) Been Defeated?

There are a few different methods that have been leveraged to bypass the security benefits that 2FA is supposed to provide.

On a very basic level, some phishing attacks have been successful in convincing the user to hand over their credentials and the 2FA code that is generated when a login attempt is made. According to Amnesty International, one group of hackers has been sending out phishing emails that link the recipient to a convincing, yet fake, page to reset their Google password. In some cases, fake emails like this can look very convincing, which makes this scheme that much more effective.

As Amnesty International investigated these attacks, they discovered that the attacks were also leveraging automation to automatically launch Chrome and submit whatever the user entered on their end. This means that the 30-second time limit on 2FA credentials was of no concern.

In November 2018, an application on a third-party app store disguised as an Android battery utility tool was discovered to actually be a means of stealing funds from a user’s PayPal account. To do so, this application would alter the device’s Accessibility settings to enable the accessibility overlay feature. Once this was in place, the user’s clicks could be mimicked, allowing an attacker to send funds to their own PayPal account.

Another means of attack was actually shared publicly by Piotr Duszyński, a Polish security researcher. His method, named Modlishka, creates a reverse proxy that intercepts and records credentials as the user attempts to input them into the impersonated website. Modlishka then sends the credentials to the real website, concealing its theft of the user’s credentials. Worse, if the person leveraging Modlishka is present, they can steal 2FA credentials and quickly leverage them for themselves.

How to Protect Yourself Against 2FA Phishing

First and foremost, while it isn’t an impenetrable method, you don’t want to pass up on 2FA completely, although some methods of 2FA are becoming much more preferable than others. At the moment, the safest form of 2FA is to utilize hardware tokens with U2F protocol.

Even more importantly, you need your entire team to be able to identify the signs of a phishing attempt. While attacks like these can make it more challenging, a little bit of diligence can assist greatly in preventing them.

When all is said and done, 2FA fishing is just like regular phishing… there’s just the extra step of replicating the need for a second authentication factor. Therefore, a few general best practices for avoiding any misleading and malicious website should do.

First of  all, you need to double-check and make sure you’re actually on the website you wanted to visit. For instance, if you’re trying to access your Google account, the login url won’t be www - logintogoogle - dot com. Website spoofing is a very real way that (as evidenced above) attackers will try to fool users into handing over credentials.

There are many other signs that a website, or an email, may be an attempt to phish you. Google has actually put together a very educational online activity on one of the many websites owned by Alphabet, Inc. Put your phishing identification skills to the test by visiting, and encourage the rest of your staff to do the same!

For more best practices, security alerts, and tips, make sure you subscribe to our blog, and if you have any other questions, feel free to reach out to our team by calling (800) 588-4430.


No comments yet
Already Registered? Login Here
Tuesday, 12 November 2019
If you'd like to register, please fill in the username, password and name fields.

Captcha Image

Free Consultation

Sign up today for a
FREE Network Consultation

How secure is your IT infrastructure?
Let us evaluate it for free!

Sign up Now!

Free Consultation

Tag Cloud

Security Tip of the Week Technology Cloud Best Practices Business Computing Hackers Malware Privacy Email Business Productivity Hosted Solutions Microsoft Software Network Security Internet IT Services Computer Windows 10 Productivity Managed Service Provider Ransomware Backup Innovation Data Backup Outsourced IT Mobile Devices Business Continuity Android Smartphone Hardware Efficiency User Tips Managed IT services Google Disaster Recovery Data Recovery Social Media Data Browser Communication IT Support Workplace Tips Upgrade Cloud Computing Small Business Business Management IT Support Managed IT Services App Data Management Smartphones Server Office Remote Monitoring Miscellaneous Internet of Things Holiday Phishing Microsoft Office Office 365 Windows WiFi Facebook Paperless Office Network communications Password VoIP Artificial Intelligence Gmail Big Data Tech Term Spam Passwords Save Money Encryption Document Management Employer-Employee Relationship Cybersecurity Risk Management Saving Money Unified Threat Management Bandwidth Customer Relationship Management Firewall Robot Apps Hosted Solution Recovery Collaboration Tip of the week Customer Service Mobile Device Management Vendor Management Operating System Analytics Remote Computing Word Hacker Compliance How To Chrome Government Content Filtering Money Managed IT Infrastructure Apple Work/Life Balance Avoiding Downtime Downtime Wi-Fi Windows 10 Office Tips Tech Support File Sharing Two-factor Authentication Settings Vulnerability Automation Going Green Help Desk Alert The Internet of Things Data Security Computers Printing Presentation Business Growth Data storage Computing IT Management Outlook Healthcare Managed Service Education Mobile Device Virtual Reality Antivirus Training Redundancy Cybercrime SaaS BYOD Project Management Data loss BDR Health Applications Business Technology Social Website Hacking Telephone Systems Mobile Computing YouTube Mobile Security Legal Competition Unified Communications Display Twitter Patch Management Identity Theft Information Technology LiFi Politics Monitors Windows 7 Scam Travel Google Drive Humor Websites Physical Security Taxes Access Control VPN Analyitcs Assessment Botnet Augmented Reality Server Management Licensing Samsung IBM Virtual Private Network Running Cable Consultation Digital Payment Meetings Storage Maintenance Specifications Bring Your Own Device Search Sports Computer Care IT service User Cortana Laptops Virtualization Administration Tablet Retail Regulations Proactive Best Practice IT solutions Safety Lithium-ion battery Automobile Upgrades Net Neutrality Wireless Technology Budget Business Owner Remote Monitoring and Management Wireless End of Support Smart Technology Mouse Marketing HIPAA Software as a Service Router Emoji Domains data services Bookmarks Shortcut Uninterrupted Power Supply Consumers CCTV Mobile Spyware Fleet Tracking Gadget IT Technicians 5G Technology Tips Voice over Internet Protocol Superfish Entrepreneur Remote Work business communications systems Application Hacks Modem Mobile Data Managed IT Service Company Culture Users Hotspot Public Speaking User Error Favorites Solid State Drive How To eWaste Asset Tracking Mirgation Comparison Break Fix File Management Internet Protocol Current Events Heating/Cooling Cookies IT Sevices Vulnerabilities Processors Language Printer Conferencing Hard Disk Drive G Suite Firefox Environment Remote Workers Supercomputer Migration Black Friday Manufacturing Networking Dark Web Telephone VoIP streamlines Hard Drives Servers Motion Sickness Nanotechnology Laptop Geography Virtual Desktop Computing Infrastructure Google Docs Employees Troubleshooting Information IT Budget Chatbots Writing Cyber Monday Gadgets Personal Information Data Warehousing Mobile VoIP business network infrastructure Refrigeration IoT Halloween IT Consultant Cables Alerts SharePoint Zero-Day Threat Monitoring Phone System Deep Learning Machine Learning Identity Fun Social Engineering flu season Proactive Maintenance Techology Computer Repair Microsoft Excel Statistics Software Tips Utility Computing Scary Stories Cleaning Wires Notifications Cooperation Downloads Backup and Disaster Recovery Mail Merge Electronic Health Records Relocation Fort Worth Processor Disaster Resistance Electronic Medical Records Blockchain Undo Google Wallet Bluetooth Webcam Crowdsourcing Staff IP Address Dark Data Multi-Factor Security RMM Address Corporate Profile Quick Tips Cyberattacks Alt Codes Private Cloud flu shot Proactive IT Permissions Drones History Point of Sale Cost Management MSP Flexibility Mobile Office Google Calendar Procurement WannaCry Time Management iPhone Typing Error Fort Worth IT Active Directory IT Consulting Buisness Fraud Mobility Cabling Recycling Staffing Operations Legislation Remote Worker Network Management Cryptocurrency Social Networking Knowledge DFW IT Service Windows Server Data Breach Update Web Server Management GPS Wearable Technology Professional Services VoIP Technology Laws Touchscreen Google Maps Bitcoin Administrator Motherboard Experience 3D Printing User Management Chromebook Internet Exlporer Disaster Cameras Enterprise Resource Planning Digital WPA3 Tracking PowerPoint Law Enforcement Network Congestion Virtual Assistant Lenovo Unified Threat Management Windows 8 Unsupported Software Distributed Denial of Service Batteries

Top Blog

Let's look at the definition of disaster. dis·as·ter A calamitous event, especially one occurring suddenly and causing great loss of life, damage, or hardship, as a flood, airplane crash, or business failure.To Telesys Voice and Data, a disaster is anything that involves a major loss of data or major downt...