Contact us today!
(800) 588-4430

Telesys Voice and Data Blog

Telesys Voice and Data has been serving the Richland Hills area since 1994, providing IT Support such as technical helpdesk support, computer support, and consulting to small and medium-sized businesses.

With Phishing Attacks Beating 2FA, You Need to Be Able to Spot Them

With Phishing Attacks Beating 2FA, You Need to Be Able to Spot Them

Unfortunately, one of the most effective defenses against phishing attacks has suddenly become a lot less dependable. This means that you and your users must be ready to catch these attempts instead. Here, we’ll review a few new attacks that can be included in a phishing attempt, and how you and your users can better identify them for yourselves.

How Has Two-Factor Authentication (2FA) Been Defeated?

There are a few different methods that have been leveraged to bypass the security benefits that 2FA is supposed to provide.

On a very basic level, some phishing attacks have been successful in convincing the user to hand over their credentials and the 2FA code that is generated when a login attempt is made. According to Amnesty International, one group of hackers has been sending out phishing emails that link the recipient to a convincing, yet fake, page to reset their Google password. In some cases, fake emails like this can look very convincing, which makes this scheme that much more effective.

As Amnesty International investigated these attacks, they discovered that the attacks were also leveraging automation to automatically launch Chrome and submit whatever the user entered on their end. This means that the 30-second time limit on 2FA credentials was of no concern.

In November 2018, an application on a third-party app store disguised as an Android battery utility tool was discovered to actually be a means of stealing funds from a user’s PayPal account. To do so, this application would alter the device’s Accessibility settings to enable the accessibility overlay feature. Once this was in place, the user’s clicks could be mimicked, allowing an attacker to send funds to their own PayPal account.

Another means of attack was actually shared publicly by Piotr Duszyński, a Polish security researcher. His method, named Modlishka, creates a reverse proxy that intercepts and records credentials as the user attempts to input them into the impersonated website. Modlishka then sends the credentials to the real website, concealing its theft of the user’s credentials. Worse, if the person leveraging Modlishka is present, they can steal 2FA credentials and quickly leverage them for themselves.

How to Protect Yourself Against 2FA Phishing

First and foremost, while it isn’t an impenetrable method, you don’t want to pass up on 2FA completely, although some methods of 2FA are becoming much more preferable than others. At the moment, the safest form of 2FA is to utilize hardware tokens with U2F protocol.

Even more importantly, you need your entire team to be able to identify the signs of a phishing attempt. While attacks like these can make it more challenging, a little bit of diligence can assist greatly in preventing them.

When all is said and done, 2FA fishing is just like regular phishing… there’s just the extra step of replicating the need for a second authentication factor. Therefore, a few general best practices for avoiding any misleading and malicious website should do.

First of  all, you need to double-check and make sure you’re actually on the website you wanted to visit. For instance, if you’re trying to access your Google account, the login url won’t be www - logintogoogle - dot com. Website spoofing is a very real way that (as evidenced above) attackers will try to fool users into handing over credentials.

There are many other signs that a website, or an email, may be an attempt to phish you. Google has actually put together a very educational online activity on one of the many websites owned by Alphabet, Inc. Put your phishing identification skills to the test by visiting https://phishingquiz.withgoogle.com/, and encourage the rest of your staff to do the same!

For more best practices, security alerts, and tips, make sure you subscribe to our blog, and if you have any other questions, feel free to reach out to our team by calling (800) 588-4430.

Comments

 
No comments yet
Already Registered? Login Here
Guest
Wednesday, 24 April 2019
If you'd like to register, please fill in the username, password and name fields.

Captcha Image

Free Consultation

Sign up today for a
FREE Network Consultation

How secure is your IT infrastructure?
Let us evaluate it for free!

Sign up Now!

Free Consultation
 

Tag Cloud

Security Tip of the Week Technology Cloud Best Practices Business Computing Hackers Malware Privacy Business Productivity Email Microsoft Hosted Solutions Software Internet Windows 10 Network Security IT Services Backup Computer Managed Service Provider Ransomware Innovation Mobile Devices Android Smartphone Hardware Outsourced IT Productivity User Tips Data Backup Google Managed IT services Social Media Business Continuity Browser IT Support Disaster Recovery Workplace Tips Efficiency Communication Data Recovery Upgrade Business Management Data Cloud Computing Smartphones Small Business App Data Management Office Remote Monitoring Managed IT Services Holiday Internet of Things Microsoft Office Server Office 365 Windows Miscellaneous WiFi Facebook Network Phishing Encryption Save Money Paperless Office IT Support Artificial Intelligence Spam Gmail Passwords Big Data Tech Term Hosted Solution Robot Recovery communications Password VoIP Employer-Employee Relationship Risk Management Customer Relationship Management Bandwidth Firewall Unified Threat Management Apps Compliance Tip of the week Government Customer Service Mobile Device Management Money Cybersecurity Wi-Fi Office Tips Work/Life Balance Saving Money Remote Computing Collaboration Analytics Vendor Management Word Hacker Chrome Infrastructure Apple Avoiding Downtime Content Filtering Document Management How To Virtual Reality Tech Support Social Vulnerability Website SaaS Downtime BYOD Data Security Operating System Applications Two-factor Authentication Presentation Settings Business Growth IT Management File Sharing The Internet of Things Computers Outlook Mobile Device Antivirus Project Management Automation Alert Managed IT Business Technology Data loss Printing BDR Education Data storage Computing Health Cybercrime Windows 10 Telephone Systems Hacking Mobile Computing Wireless Technology Competition Training Wireless Proactive Identity Theft Regulations Information Technology VPN Remote Monitoring and Management Automobile Upgrades Budget Humor YouTube Net Neutrality Unified Communications End of Support Virtual Private Network Assessment Mouse Server Management Analyitcs Smart Technology Licensing LiFi HIPAA Software as a Service Digital Payment Legal Router Mobile Security Maintenance Twitter Specifications Augmented Reality Politics Monitors Travel IBM Running Cable Google Drive User Websites Physical Security Going Green Tablet Taxes Bring Your Own Device Retail Search Botnet Sports Best Practice Samsung IT service Lithium-ion battery Cortana Virtualization Business Owner Meetings Administration Storage Marketing IT solutions Computer Care Safety Healthcare Patch Management Scam Favorites Internet Protocol Drones Consumers flu shot Employees Point of Sale Permissions Solid State Drive Cost Management Networking Flexibility Bitcoin How To Google Calendar Experience Error Conferencing VoIP streamlines Heating/Cooling Fort Worth IT Zero-Day Threat eWaste Fraud Hard Disk Drive Management Operations Windows 8 Firefox Legislation Supercomputer IT Sevices Domains Update business network infrastructure Social Networking Servers DFW IT Service Help Desk Backup and Disaster Recovery Web Server Environment 5G Entrepreneur Enterprise Resource Planning WPA3 Techology Wearable Technology IT Budget Administrator Application 3D Printing Public Speaking Chromebook data services Motherboard Users Procurement Cameras Troubleshooting Internet Exlporer Law Enforcement Network Congestion Mobile Mail Merge Fleet Tracking Disaster Resistance Consultation Unsupported Software Emoji Statistics Distributed Denial of Service Software Tips Remote Worker CCTV Phone System Gadget Display Company Culture Address Asset Tracking Proactive IT Hacks IT Technicians Technology Tips Laptop Hard Drives Mobile Data Modem Bluetooth Managed IT Service Virtual Desktop Virtual Assistant Hotspot Corporate Profile User Error Vulnerabilities Redundancy Remote Workers IT Consulting Current Events Mirgation Quick Tips Comparison Halloween Refrigeration G Suite Processors Cookies Break Fix History Voice over Internet Protocol Language Deep Learning WannaCry Printer Fun Geography Information Data Breach Migration Time Management Black Friday Scary Stories Motion Sickness Cabling Google Docs Nanotechnology Dark Web iPhone Computing Infrastructure Access Control Staffing Writing Cables Personal Information Electronic Health Records Technology Laws Chatbots Network Management Cyber Monday Undo IT Consultant IP Address IoT Data Warehousing Wires Lenovo Alerts Alt Codes VoIP SharePoint GPS Machine Learning Social Engineering Computer Repair Cyberattacks Unified Threat Management Identity Touchscreen flu season Google Maps Microsoft Excel Disaster Cleaning Mobile Office Notifications Utility Computing Shortcut Managed Service Superfish Cooperation Typing Digital Downloads Tracking Relocation Electronic Medical Records Bookmarks business communications systems Google Wallet Fort Worth Buisness Webcam Blockchain Uninterrupted Power Supply PowerPoint Crowdsourcing Dark Data MSP Staff Cryptocurrency Spyware Multi-Factor Security Knowledge Private Cloud

Top Blog

Let's look at the definition of disaster. dis·as·ter A calamitous event, especially one occurring suddenly and causing great loss of life, damage, or hardship, as a flood, airplane crash, or business failure.To Telesys Voice and Data, a disaster is anything that involves a major loss of data or major downt...
QR-Code