Contact us today!
(800) 588-4430

Telesys Voice and Data Blog

Telesys Voice and Data has been serving the Richland Hills area since 1994, providing IT Support such as technical helpdesk support, computer support, and consulting to small and medium-sized businesses.

With Phishing Attacks Beating 2FA, You Need to Be Able to Spot Them

With Phishing Attacks Beating 2FA, You Need to Be Able to Spot Them

Unfortunately, one of the most effective defenses against phishing attacks has suddenly become a lot less dependable. This means that you and your users must be ready to catch these attempts instead. Here, we’ll review a few new attacks that can be included in a phishing attempt, and how you and your users can better identify them for yourselves.

How Has Two-Factor Authentication (2FA) Been Defeated?

There are a few different methods that have been leveraged to bypass the security benefits that 2FA is supposed to provide.

On a very basic level, some phishing attacks have been successful in convincing the user to hand over their credentials and the 2FA code that is generated when a login attempt is made. According to Amnesty International, one group of hackers has been sending out phishing emails that link the recipient to a convincing, yet fake, page to reset their Google password. In some cases, fake emails like this can look very convincing, which makes this scheme that much more effective.

As Amnesty International investigated these attacks, they discovered that the attacks were also leveraging automation to automatically launch Chrome and submit whatever the user entered on their end. This means that the 30-second time limit on 2FA credentials was of no concern.

In November 2018, an application on a third-party app store disguised as an Android battery utility tool was discovered to actually be a means of stealing funds from a user’s PayPal account. To do so, this application would alter the device’s Accessibility settings to enable the accessibility overlay feature. Once this was in place, the user’s clicks could be mimicked, allowing an attacker to send funds to their own PayPal account.

Another means of attack was actually shared publicly by Piotr Duszyński, a Polish security researcher. His method, named Modlishka, creates a reverse proxy that intercepts and records credentials as the user attempts to input them into the impersonated website. Modlishka then sends the credentials to the real website, concealing its theft of the user’s credentials. Worse, if the person leveraging Modlishka is present, they can steal 2FA credentials and quickly leverage them for themselves.

How to Protect Yourself Against 2FA Phishing

First and foremost, while it isn’t an impenetrable method, you don’t want to pass up on 2FA completely, although some methods of 2FA are becoming much more preferable than others. At the moment, the safest form of 2FA is to utilize hardware tokens with U2F protocol.

Even more importantly, you need your entire team to be able to identify the signs of a phishing attempt. While attacks like these can make it more challenging, a little bit of diligence can assist greatly in preventing them.

When all is said and done, 2FA fishing is just like regular phishing… there’s just the extra step of replicating the need for a second authentication factor. Therefore, a few general best practices for avoiding any misleading and malicious website should do.

First of  all, you need to double-check and make sure you’re actually on the website you wanted to visit. For instance, if you’re trying to access your Google account, the login url won’t be www - logintogoogle - dot com. Website spoofing is a very real way that (as evidenced above) attackers will try to fool users into handing over credentials.

There are many other signs that a website, or an email, may be an attempt to phish you. Google has actually put together a very educational online activity on one of the many websites owned by Alphabet, Inc. Put your phishing identification skills to the test by visiting, and encourage the rest of your staff to do the same!

For more best practices, security alerts, and tips, make sure you subscribe to our blog, and if you have any other questions, feel free to reach out to our team by calling (800) 588-4430.


No comments yet
Already Registered? Login Here
Tuesday, 25 June 2019
If you'd like to register, please fill in the username, password and name fields.

Captcha Image

Free Consultation

Sign up today for a
FREE Network Consultation

How secure is your IT infrastructure?
Let us evaluate it for free!

Sign up Now!

Free Consultation

Tag Cloud

Security Tip of the Week Technology Cloud Best Practices Business Computing Hackers Malware Privacy Email Productivity Business Hosted Solutions Microsoft Software Internet Network Security IT Services Windows 10 Managed Service Provider Computer Productivity Ransomware Backup Innovation Mobile Devices Outsourced IT Smartphone Android Hardware Data Backup User Tips Google Managed IT services Social Media Efficiency Browser Communication IT Support Disaster Recovery Workplace Tips Business Continuity Data Data Recovery Business Management Upgrade Cloud Computing Data Management Smartphones Small Business App Office Remote Monitoring Managed IT Services Internet of Things Holiday Microsoft Office Server Windows Miscellaneous Facebook WiFi Phishing Network Office 365 IT Support Artificial Intelligence Gmail Big Data Spam Passwords Encryption Tech Term Save Money Paperless Office Password VoIP Collaboration Bandwidth Firewall Customer Relationship Management Apps Unified Threat Management Hosted Solution Recovery communications Robot Employer-Employee Relationship Risk Management Saving Money Remote Computing Word Hacker Vendor Management Content Filtering Chrome Infrastructure Apple Downtime Avoiding Downtime Wi-Fi Office Tips How To Document Management Compliance Tip of the week Government Customer Service Mobile Device Management Cybersecurity Money Analytics Work/Life Balance Applications Computers Presentation Business Growth File Sharing IT Management Education Outlook Mobile Device Antivirus Project Management Automation Cybercrime Alert Managed IT Business Technology Data loss Printing BDR Data storage Social Health Computing Website Windows 10 Telephone Systems Hacking Mobile Computing Virtual Reality Vulnerability Tech Support Two-factor Authentication Settings SaaS BYOD Data Security Operating System The Internet of Things Augmented Reality Assessment Licensing Analyitcs Smart Technology Server Management Mouse IBM Running Cable Software as a Service Consultation Digital Payment HIPAA Router Legal Maintenance Mobile Security Bring Your Own Device Search Specifications Sports Twitter Monitors IT service Politics Travel Cortana Virtualization Google Drive Administration Websites User Physical Security Going Green Tablet Taxes IT solutions Botnet Safety Retail Wireless Technology Best Practice Samsung Wireless Lithium-ion battery Business Owner Meetings Storage Managed Service Marketing Healthcare Computer Care YouTube Patch Management Unified Communications Scam Competition Training LiFi Proactive Identity Theft Regulations VPN Information Technology Automobile Upgrades Remote Monitoring and Management Help Desk Humor Budget Virtual Private Network End of Support Net Neutrality Administrator Techology 3D Printing Backup and Disaster Recovery WPA3 IT Budget Wearable Technology Motherboard Cameras data services Halloween Chromebook Refrigeration Mail Merge Network Congestion Mobile Troubleshooting Internet Exlporer Law Enforcement Deep Learning Disaster Resistance Fun Unsupported Software Procurement Fleet Tracking Software Tips CCTV Distributed Denial of Service Scary Stories Emoji Statistics Address Display Company Culture Phone System Gadget IT Technicians Technology Tips Proactive IT Mobile Data Hacks Remote Worker Asset Tracking Modem Managed IT Service Bluetooth Undo User Error Redundancy IP Address Corporate Profile Vulnerabilities Hotspot Mirgation Alt Codes Comparison IT Consulting Quick Tips Current Events Virtual Assistant Remote Workers History Cookies G Suite Break Fix Processors Printer Mobile Office WannaCry Geography Language Migration Typing Motion Sickness Black Friday Data Breach Time Management Voice over Internet Protocol Information Google Docs Cabling Nanotechnology Dark Web Buisness Access Control Writing Cables Staffing iPhone Computing Infrastructure Chatbots Cryptocurrency Cyber Monday Technology Laws Knowledge Personal Information Network Management Manufacturing Electronic Health Records IoT IT Consultant Data Warehousing Machine Learning SharePoint Lenovo Social Engineering VoIP Wires GPS Alerts Identity Bitcoin flu season Unified Threat Management Experience Computer Repair Touchscreen Proactive Maintenance Cyberattacks Google Maps Disaster Utility Computing Cleaning Microsoft Excel Notifications Shortcut Relocation Downloads Superfish Digital Tracking Cooperation Windows 8 Webcam Fort Worth business communications systems Electronic Medical Records Google Wallet Bookmarks Domains Dark Data Uninterrupted Power Supply Blockchain PowerPoint Crowdsourcing Private Cloud Multi-Factor Security 5G Spyware Entrepreneur MSP Staff Consumers Point of Sale flu shot Internet Protocol Application Drones Favorites Public Speaking Solid State Drive Cost Management Permissions Users Error Google Calendar Networking How To Employees Flexibility Fort Worth IT VoIP streamlines Heating/Cooling Conferencing Hard Disk Drive Management eWaste Fraud Legislation IT Sevices Firefox Zero-Day Threat Supercomputer Operations Social Networking Web Server DFW IT Service business network infrastructure Laptop Update Servers Hard Drives Enterprise Resource Planning Environment Virtual Desktop

Top Blog

Let's look at the definition of disaster. dis·as·ter A calamitous event, especially one occurring suddenly and causing great loss of life, damage, or hardship, as a flood, airplane crash, or business failure.To Telesys Voice and Data, a disaster is anything that involves a major loss of data or major downt...