Two factor authentication (2FA) is supposed to make logins more secure. Using 2FA requires two private pieces of information to login: your password and one other, typically a code received via text message. The challenge is the more secure the approach seemingly is, the less attention you pay while logging in. And therein lies the problem.
According to an article on ITPro this week, “A security researcher has released a tool that can bypass a host of 2FA schemes widely used across platforms such as Gmail and Yahoo.
When deployed, the tool places a server named Modlishka between a phishing target and a secure platform such as Gmail, which phishing victims unwittingly connect to in order to enter login details. In a hypothetical phishing campaign, a targeted user would encounter a malicious email containing a link to the proxy server mimicking a Google login procedure. The user would then enter their username and password, and then the 2FA code, all of which would be collected and held on the proxy server.”
In other words, this two-factor authentication man-in-the-middle attack has the potential to not only steal your password, but your 2FA credentials as well.
It all depends on convincing you that the fake website you’re actually logging into is real.
There’s virtually no chance that a normal user will be able to distinguish the fake website from the real one, and would therefore proceed to login without giving it a second thought. That’s why it’s become imperative to take advantage of existing technology to do the heavy lifting users won’t.
Today there exists inexpensive and easy-to-deploy cloud-based technology to protect users from these advanced phishing techniques. They work in the background to keep users safe.
The technology used to protect users is called “real-time link scanning.” It not only scans emails for malicious embedded links but more importantly, scans the web pages to which those links point, to see if they’re fake.
Linked-to websites are scanned for:
- page size,
- domain name,
- on-page content, as well as
- hidden fields and
- JavaScript with injection code.
The websites are also compared to Fortune 5000 websites, bank websites and other frequently-used websites. They are checked to ensure that elements have not been copied to look like clones of authentic sites. The information is then used to develop a decisioning score as to how likely those elements are to be representative of a malicious website.
With the release of this tool, it’s clear that using 2FA is no longer sufficient to protect you from phishing attacks. Users need the protection that only technology can provide. Make sure to get phishing prevention to so you can quickly and inexpensively protect yourself and your users from 2FA and many other phishing attacks,