Earlier this year, we posted a blog on Two-Factor Authentication (2FA). In it, we shared that while 2FA is certainly a best practice for corporate network security, it mainly protects against phishing attacks aimed at credential stealing, and just like the best practice of employee cyber awareness training, it is just one part of overall anti-phishing protection strategies.
We hear about 2FA quite frequently when engaging with prospects and customers… “We’re protected with 2FA” or “We’re safe. We have 2FA.” And yet, we know that 2FA can be evaded (on invaded!) by hackers in multiple ways and also fails to protect against other types of phishing threats including scareware, social engineering scams, rogue software, and phishing exploits via weaponized documents. We repeatedly encounter phishing schemes that have successfully bypassed two-factor authentication or multi-factor authentication (MFA). Here are four examples:
- Man-in-the-Browser (MitB) attacks. Many organizations with 2FA believe they’re protected from phishing because even if an individual’s log-in credentials were stolen, only the authorized party can access and use the second factor in a 2FA log-in sequence. They also think it’s ok for their employees to use browser extensions that make them more productive, such as specialized ad blockers or file viewers or converters. These extensions often have legitimate business functionality, but some also have a side business, and that’s the reason they are free. Their hidden functionality is to act as a Man-in-the-Middle spyware in order to scrape, use, or sell data, which can include capturing second factor log-in info, or data that is accessed during that browser session. A browser extension offers bad actors the perfect workaround for organizations that rely heavily on 2FA. By design, when a browser extension is installed, it has access to the complete canvas of the browser. This allows it to monitor the session and capture whatever is being rendered on the computer screen. These extensions can have the power to see a lot of what the user is doing and capture whatever is within that browser window. At SlashNext, we regularly see malicious browser extensions that merely wait for the 2FA to complete.For example, a user logs into a ServiceNow Management Portal, once 2FA is complete, the browser extension starts collecting and secretly transmitted data to a C2 server—exposing important business data to bad actors. With bad actors waiting for the user to log-in legitimately before they start scraping data from the browser, 2FA or MFA ceases to be a viable security option to protect organizations.
- Technical support scams. In addition to rogue browser extensions and MitB attacks, technical support scams are another way to get around 2FA security protocols. We’ve seen technical support phishing scams that successfully convince users to install a TeamViewer or some other LogMeIn software that can log in remotely. A fake scan is then performed, and the TeamViewer session is left open so it can be sold on to others. In this case a scammer has installed a functioning backdoor on a device, which is not malware, but provides full backdoor capability. Access to these compromised machines are then sold on the Dark Web, and even best-of-breed AV will not find them, nor will 2FA have prevented the phishing scheme from accomplishing it’s goal and compromising the machine.
- Fake 2FA pages or pop-ups. Phishing threat actors are so sophisticated today that they can easily emulate the authentication websites themselves. Unsuspecting users are presented a login experience that looks just like their normal 2FA experience but is actually a fake site that captures their authentication codes and user credentials. While the actual session token is not compromised, the user is tricked into providing additional security credentials or qualifying data that they might normally provide in a password recovery experience. This data can then be used by bad actors to access one or more corporate systems.
- Scareware. Scareware is another way that phishing threat actors can obtain the credentials they need to subvert 2FA solutions. Security alerts that look like they come from legitimate providers prompt users to reset passwords due to a ‘security threat or breach’. This scareware tactic has been found in use recently targeting journalists and activists in the Middle East and North Africa. In this case, hundreds of Google and Yahoo accounts were targeted and the result was the successful bypassing of 2FA security protocols.
These are just a few of the new kinds of phishing schemes that are being used to bypass or defeat security protections normally provided by 2FA. When we hear from IT security pros that, “We have 2FA, we’re protected,” we know otherwise and do our best to explain how and where they still have risks.
As 2FA and MFA were devised to help protect unauthorized user log-ins, threat actors continue to develop new approaches to phish users, access second factor credentials, spy on browser activity, and compromise machines. As an anti-phishing specialist, SlashNext SEER™ threat detection technology and Real-Time Phishing Threat Intelligence covers all six major categories of phishing and social engineering threats, not just fake log-in pages used for credential stealing.
See what phishing threats you’re missing. Try SlashNext Real-Time Phishing Threat Intelligence free for 15 days.