This blog had been published at www.keepnetlabs.com.
A Phishing Attack Bypasses Two-Factor Authentication
To protect the information, passwords have been utilised as a method In the early years of technology that they appeared as the best solution for managing access to systems or data. However, in today digitalised world, organisations can’t perpetually monitor their users to make sure they are using best practices. Many people use weak passwords or use the same or similar passwords for their different accounts, and become victims of a phishing scam.
Multi-factor authentication (MFA) is a way of access control where a user is allowed access simply after successfully presenting at least two separate pieces of evidence to an authentication mechanism, typically of(a) knowledge (something they know), (b) possession (something they have), (c) inherence (something they are) of categories:1
Nevertheless, shielding an account with MFA doesn’t indicate everything is secure. Some security experts have proved an automatic phishing scam that can cut through two-factor authentication (2FA) by tricking users into giving their private credentials.
As it was stated in a post by Fortune 2 “The attack was first demonstrated at the Hack in the Box Security Conference in Amsterdam last month. A video of the presentation was posted on YouTube on June 2, bringing renewed attention to how hackers are getting better at penetrating extra layers of security, despite people using stronger tools, like 2FA.”
Two tools are employed for the hack: Muraena and NecroBrowser, those are working together to automate the attacks. Muraena blocks traffic between the user and the target website, acting as a proxy between the victim and a real website. When Muraena has the victim on a fake website that looks like a real login page, users will be asked to enter their login credentials, as well as the 2FA code. If the Muraena validates the session’s cookie, it is then passed along to NecroBrowser that can create windows to keep track of the private accounts of tens of thousands of victims.3
However, 2FA is still considered a best security practice rather than simply relying on a username and strong password. But people should be more careful regarding identifying a phishing scam.
Note: A demonstration of the attack was also released on GitHub, an open source coding site, to provide developers with an opportunity to see how it works.
The phishing attacks the hardest to stop
Phishing is the first delivery method for other types of malicious software. A phishing scam isn’t just targeted at gaining information. Phishing attacks can also be used to distribute malicious programs, such as ransomware. Email attachments are still the main method of delivery for malicious programs. Also, 97% of users cannot identify a sophisticated phishing email and according to the SANS Institute, 95% of all attacks on enterprise networks are the result of successful spear phishing.4
Furthermore, according to the 2019 Cyber Security Breaches Survey published by the UK government,5 the most prevalent attack vector is a phishing attack.
Figure 1. ( Source: Cyber Security Breaches Survey 2019)