Home

About Us

IT Services

Electronic Security

Knowledge Center

News & Events

Blog

Support

Contact Us

Prosper IT
  • Register

Prosper Solutions Blog

Phishing Attacks Are Besting Two-Factor Authentication--Now What?

Phishing Attacks Are Besting Two-Factor Authentication--Now What?

What has proven to be one of the more effective ways of preventing phishing attacks may be under fire from more advanced threats designed specifically to penetrate the defenses of two-factor authentication. This means that users need to be more cognizant of avoiding these attacks, but how can you help them make educated decisions about this? Let’s start by discussing the phishing attacks that can beat 2FA.

How Has Two-Factor Authentication (2FA) Been Defeated?

There are several methods used by hackers to bypass the security benefits of 2FA. Some phishing attempts have managed to find success in convincing users to have over both their credentials and the 2FA code that is generated by a login attempt. As reported by Amnesty International, one group of hackers has been sending out phishing emails that link the recipient to a convincing fake page to reset their Google password. Sometimes fake emails can be quite convincing, making the trickery much more difficult to identify.

As Amnesty International looked into the attacks, they found that the attacks were using an automated solution to launch Chrome and submit information the user entered into their end. This meant that the 30-second time limit imposed by 2FA was of no concern.

In November 2018, an application on a third-party app store posed as an Android battery utility tool was found to be stealing funds from a user’s PayPal account. The application would change the device’s Accessibility settings to enable an accessibility overlay feature. Once it was in place, the user’s clicks would be mimicked, giving hackers the ability to send funds to their own PayPal account.

Yet another method of attack was shared publicly by Piotr Duszynski, a Polish security researcher. This method, named Modlishka, created a reverse proxy that intercepted and recorded credentials as the user attempted to plug them into an impersonated website. Modlishka would then send the credentials to the real website to hide the fact that the user’s credentials were in fact stolen. Even worse yet, if the person using Modlishka is nearby, they can steal the 2FA credentials and use them very quickly.

Protect Yourself Against 2FA Phishing Schemes

The first step toward preventing 2FA phishing attacks is to make sure you actually have 2FA implemented in the first place. While it might not seem like much of a help (after all, these attacks are designed to work around them), it is much preferable to not having 2FA at all. The most secure method of 2FA at the moment uses hardware tokens with U2F protocol. Most important of all, however, is that your team needs to be trained on the giveaway signs of phishing attacks. With these attempts that target 2FA solutions, it might not be immediately apparent, which is why it’s all the more important to remain vigilant.

At its heart, 2FA phishing is just like regular phishing, plus an additional step to bypass or replicate the secondary authentication method. Here are a few tips to ensure best practices are followed regarding phishing attempts:

  • First, check to make sure that the website you’re using is actually the one it claims to be. For example, if you’re logging in to your Google account, the login URL wouldn’t be something like logintogoogle.com. You wouldn’t believe how often spoofers will fool users in this way.
  • To help you better understand other signs of phishing attacks, check out this phishing identification skills quiz by Alphabet, Inc. We encourage your staff also look into it.

To learn more about phishing attacks, be sure to subscribe to our blog.

Tip of the Week: Using Cloud Services for Your Bus...
Interpreting Analytics Isn’t Always Cut and Dry
 

Comments

No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Guest
Tuesday, April 23, 2019

Captcha Image

Mobile? Grab this Article!

QR-Code dieser Seite

Tag Cloud

Office Tips Network Security Advertising Tip of the week Assessment Holiday Password Tech Terms Managed Service Social Virtualization Employer-Employee Relationship Smartphones Google Drive Windows 7 Integration Malware Saving Money uptime Directions Language Alert Backup Downloads Comparison Antivirus Analytics Text Messaging Bring Your Own Device Managed Service Provider Google Calendar Mobile Security Cooperation Business Cards A.I. Access Bata Backup VPN Apps IT Management Keyboard Tablets Startup Business Intelligence PDF Avoiding Downtime Wireless Redundancy Best Practice IT Taxes Supercomputer Budget Privacy Fileless Malware Fleet Tracking Employer Employee Relationship Analytic Read Unified Threat Management Multi-factor Authentication WannaCry IBM Television Security Cameras Computer Repair Freedom of Information Business Google Wallet Entrepreneur Information Fraud Identity Theft Politics Reading Managed IT Service Productivity Music Managing Stress 3D Printing Going Green Gamification IT Plan Sports Access Control Health Upload User Tips Laptop Workplace Tips Solutions Business Continuity Best Practices Bitcoin Network Management Worker Micrsooft Ransomware Software License Migration Statistics outsource cloud storage Connected Devices clout services End of Support Notifications Google Maps Tip of the Week Microsoft 365 Business Computing Paperless Office HIPAA IT service Environment Drones Meetings Intranet Presentation Mobile Technology Upgrade App Printer IT Services Legal Microsoft Distribution Health IT Permissions Web Server Recovery Fiber-Optic Apple Technology Project Management Regulation Work/Life Balance Digital Payment Android Website Windows Server 2008 Business Metrics Net Neutrality Internet of Things Inbound Marketing Equifax G Suite Network Congestion Outsourced IT Google Play Big data Outlook Corporate Profile Samsung WiFi Evernote Proactive IT Username Downtime Healthcare How To Law Enforcement Wi-Fi Computing Infrastructure Administrator DDoS Router Transportation Software as a Service Windows 10 Saving Time Quick Tips Internet Cortana Managed IT Tech Support Printers communications hardware Patching Spyware Touchscreen Augmented Reality Congratulations Automation cloud switches Processing Staffing Proxy Server Computers Data Loss Virtual Assistant Data Protection CrashOverride Hard Drive Disposal cloud storage Digital Signature Computer Care Gadgets Networking Productivity Dark Web GDPR Telephone System Hard Drive Mobile Payment In Internet of Things Artificial Intelligence Backup and Disaster Recovery Professional Services Google Rapid City Workers Botnet Data Analysis Productuvuty Two-factor Authentication Enterprise Resource Planning Trending Telephone Operating System Wireless Headphones Business Management Domains Data Save Time Knowledge Webcam Money Electronic Payment Data Management Writing Hard Drives Travel Solid State Drive Tech SSID Flash BYOD Business Growth Data storage Trends Processors Devices Accountants Rental Service Telephone Systems Emails Public Cloud Education Social Media Modem Human Resources Update Documents UTM Marketing Hackers Processor IT Support Reliable Computing Navigation Black Market Best Available Fake News Audit Compliance News Thank You Banking Machine Learning the Internet of Things Database Windows 10 Bluetooth SaaS Unified Communications Logistics Emergency Term YouTube Scalability Information Technology Collaboration Lithium-ion battery Customer Resource management Private Cloud Digital Chamber outsource cloud computing Encryption Mobile Device Management Mobile Device Data Security Tactics Medical IT Data Breach Blockchain Hacks Save Money PowerPoint Managed IT services Hosted Solutions Facebook Government Start Menu Messenger IT consulting Maintenance Hosted Solution Social Network Miscellaneous Streaming Media Social Networking Training Books Piracy Tablet Asset Tracking IT Support Monitors Cost Innovation Microsoft Office Chrome Business Mangement Value Company Culture User Tip Excel Storage Entertainment Computer Accessories Help Desk email scam Wireless Technology Consultation Business Owner Managed IT Services User Windows XP Firewall Uninterrupted Power Supply Phone System Efficiency Hacker CIO Hiring/Firing Virus Telephony USB Addiction Heating/Cooling Computing Social Engineering Browsers Cost Management Experience Printing eWaste Microsoft Excel Cleaning LiFi Finance Specifications Upgrades Office 365 Unified Threat Management Technology Tips Disaster Vendor Mangement Relocation Management User Error Licensing Nanotechnology IT Consultant Virtual Desktop Vendor Management Customer Service Communication IP Address Windows 8 SharePoint Microchip Remote Computing Automobile Shortcut Settings Mobility Windows cyber security Spam Smart Tech VoIP Google Docs Content Filtering Network Vulnerabilities Vendor Software Computer Time Management Websites Error Remote Monitoring Download Data Recovery Citrix Xenapp Product Reviews Electricity Society Legislation Capital Business Technology Small Business Programming Bookmark Deep Learning Scam Retail Computer Malfunction Regulations Securty Robot HTML Current Events MSP Disaster Recovery Patch Management Content Cache Word Search Security Troubleshooting Tech Term Document Management Cryptocurrency Vulnerability Server Safety iPhone Twitter Phishing Displays Electronic Medical Records Flexibility Mobile Computing VoIP Customer Relationship Management Gaming Console Office Mobile Devices Device security File Sharing Multi-Factor Security Pain Points Users Smartphone Competition Data Warehousing Applications Distributed Denial of Service Cybersecurity Screen Reader Email Public Speaking Bandwidth History Hacking Visible Light Communication Administration Voice over Internet Protocol Desktop Monitoring cloud computing Gmail Mouse Hack Data Backup CCTV Virtual Reality Co-Managed IT Running Cable Service Level Agreement Skype Chromebook Tracking Passwords Cabling Browser Application Teamwork Sync Windows10 BDR Motion Sickness Risk Management Physical Security Memory Cybercrime Conferencing

Latest News & Events

Prosper Solutions is proud to announce the launch of our new website at http://www.prospersolutions.com. The goal of the new website is to make it easier for our existing clients to submit and manage support requests, and provide more information about our ser...

Contact Us

Learn more about what Prosper Solutions can do for your business.

Call Us Today
Call us today
(617) 369-9977

150 Eastern Ave, Second Floor
Chelsea, Massachusetts 02150