Security professionals are quick to laud Two-Factor Authentication (or 2FA) and think their organization is protected from common schemes like credential stealing or login theft just by having it in place. But 2FA can be intercepted by hackers in multiple ways and fail to protect against numerous other types of phishing threats including scareware, social engineering scams, rogue software, and phishing exploits via weaponized documents. While this two-step security approach is certainly something that any cybersecurity expert would advocate, it merely makes more determined cybercriminals employ a sophisticated two-step phishing attack to outwit it – one site to capture usernames and passwords, and another phishing site to capture the additional 2FA code.
Tools for hackers to accomplish phishing success against 2FA have even been made public, indicating that savvy, sophisticated phishing scammers are already one-step ahead of this best practice and passing on their instruments of crime to less accomplished phishers in training. While 2FA provides another layer of needed phishing security, it mainly protects against only credential stealing phishing, and does not protect against other types of phishing threats, so its only part of a larger recipe for success. We repeatedly encounter phishing schemes that have successfully overcome two-factor authentication or multi-factor authentication (MFA), and have identified the top four below.
Man-in-the-Browser (MitB) attacks
Many organizations with 2FA think they’re protected from phishing even if an individual’s log-in credentials were stolen. They mistakenly believe this because they think only the authorized party can access and use the second factor in a 2FA log-in sequence. They also think it’s ok for their employees to use browser extensions for productivity like specialized ad blockers or file viewers or converters. These extensions often have legitimate business functionality, but some also have a side business – and that’s the reason they are free. Their hidden functionality is to act as a Man-in-the-Middle spyware in order to scrape, use, or sell data, which can include capturing second factor log-in info, or data that is accessed during that browser session.
A browser extension offers bad actors the perfect workaround for organizations that rely heavily on 2FA. By design, when a browser extension is installed, it has access to the complete canvas of the browser. This allows it to monitor the session and capture whatever is being rendered on the computer screen. These extensions can have the power to see and capture everything the user is doing within that browser window. We regularly see malicious browser extensions that merely wait for the 2FA to complete. For example, a user logs into a ServiceNow Management Portal, once 2FA is complete, the browser extension starts collecting and secretly transmitted data to a C2 server—exposing important business data to bad actors. With bad actors waiting for the user to log-in legitimately before they start scraping data from the browser, 2FA or MFA ceases to be a viable standalone security option to protect organizations.
Technical support scams
Technical support scams are another way to get around 2FA security protocols, and can successfully convince users to install a TeamViewer or some other LogMeIn software that can log in remotely. A fake scan is then performed, and the TeamViewer session is left open so it can be sold on to others. In this case a scammer has installed a functioning backdoor on a device, which is not malware, but provides full backdoor capability. Access to these compromised machines are then sold on the Dark Web, and even best-of-breed AV will not find them, nor will 2FA have prevented the phishing scheme from accomplishing its goal and compromising the machine.
Fake 2FA pages or pop-ups
Phishers are so sophisticated that they easily emulate legitimate authentication websites themselves. Unsuspecting users are presented a login experience that looks just like their normal 2FA experience but is a fake site that captures their authentication codes and user credentials. The actual session token is not compromised, but the user is tricked into providing additional security credentials or qualifying data they might normally provide in a password recovery experience. This data can then be used by bad actors to access one or more corporate systems.
Scareware is another way that phishing threat actors can obtain the credentials they need to subvert 2FA solutions. Security alerts that look like they come from real providers prompt users to reset passwords due to a ‘security threat or breach’. This scareware tactic has been found in use recently targeting journalists and activists in the Middle East and North Africa. In this case, hundreds of Google and Yahoo accounts were targeted and the result was the successful bypassing of 2FA security protocols.
Two-Factor Authentication is Just One Part of a Layered Phishing Defense
While 2FA and MFA were devised to help protect unauthorized user logins, threat actors continue to develop new approaches to phish users, access second factor credentials, spy on browser activity, and compromise machines. Staying ahead of phishing attacks will forever be an uphill battle, so organizations should ensure they use best practices and deploy multiple tools that protect their employees and networks against these attacks in real-time.
Training employees to identify phishing scams and attacks is one that we always recommend with a caution, since no amount of training will ever be 100 percent effective against phishing attacks. No matter how much education companies put into making their employees phishing savvy, or how secure a company’s IT security platform is, hackers only need to obtain a single employee’s credentials to gain access to a corporate network.
Rather than just implement ad hoc cybersecurity best practices, it’s best to conduct a thorough audit and ask yourselves some hard questions. What is your current security infrastructure look like today? What security awareness training programs are in place? How are you positioned to deal with a breach? What changes can you make that will improve your defense against sophisticated phishing threats? It’s important to conduct an audit now, so you can better understand where the gaps in security are and get in front of them.
Atif Mushtaq has spent most of his career on the front lines of the war against cybercrime. Before founding SlashNext, he spent nine years as a senior scientist at FireEye where he was one of the main architects of its core malware detection system. Mushtaq has worked with law enforcement and other global agencies to take down some of the world’s biggest malware networks including Rustock, Srizbi, Pushdo and Grum botnets.