Get Started Today!  (415) 295-4898

croom new

415 IT Blog

With Phishing Attacks Beating 2FA, You Need to Be Able to Spot Them

With Phishing Attacks Beating 2FA, You Need to Be Able to Spot Them

Unfortunately, one of the most effective defenses against phishing attacks has suddenly become a lot less dependable. This means that you and your users must be ready to catch these attempts instead. Here, we’ll review a few new attacks that can be included in a phishing attempt, and how you and your users can better identify them for yourselves.

How Has Two-Factor Authentication (2FA) Been Defeated?

There are a few different methods that have been leveraged to bypass the security benefits that 2FA is supposed to provide.

On a very basic level, some phishing attacks have been successful in convincing the user to hand over their credentials and the 2FA code that is generated when a login attempt is made. According to Amnesty International, one group of hackers has been sending out phishing emails that link the recipient to a convincing, yet fake, page to reset their Google password. In some cases, fake emails like this can look very convincing, which makes this scheme that much more effective.

As Amnesty International investigated these attacks, they discovered that the attacks were also leveraging automation to automatically launch Chrome and submit whatever the user entered on their end. This means that the 30-second time limit on 2FA credentials was of no concern.

In November 2018, an application on a third-party app store disguised as an Android battery utility tool was discovered to actually be a means of stealing funds from a user’s PayPal account. To do so, this application would alter the device’s Accessibility settings to enable the accessibility overlay feature. Once this was in place, the user’s clicks could be mimicked, allowing an attacker to send funds to their own PayPal account.

Another means of attack was actually shared publicly by Piotr Duszyński, a Polish security researcher. His method, named Modlishka, creates a reverse proxy that intercepts and records credentials as the user attempts to input them into the impersonated website. Modlishka then sends the credentials to the real website, concealing its theft of the user’s credentials. Worse, if the person leveraging Modlishka is present, they can steal 2FA credentials and quickly leverage them for themselves.

How to Protect Yourself Against 2FA Phishing

First and foremost, while it isn’t an impenetrable method, you don’t want to pass up on 2FA completely, although some methods of 2FA are becoming much more preferable than others. At the moment, the safest form of 2FA is to utilize hardware tokens with U2F protocol.

Even more importantly, you need your entire team to be able to identify the signs of a phishing attempt. While attacks like these can make it more challenging, a little bit of diligence can assist greatly in preventing them.

When all is said and done, 2FA fishing is just like regular phishing… there’s just the extra step of replicating the need for a second authentication factor. Therefore, a few general best practices for avoiding any misleading and malicious website should do.

First of  all, you need to double-check and make sure you’re actually on the website you wanted to visit. For instance, if you’re trying to access your Google account, the login url won’t be www - logintogoogle - dot com. Website spoofing is a very real way that (as evidenced above) attackers will try to fool users into handing over credentials.

There are many other signs that a website, or an email, may be an attempt to phish you. Google has actually put together a very educational online activity on one of the many websites owned by Alphabet, Inc. Put your phishing identification skills to the test by visiting, and encourage the rest of your staff to do the same!

For more best practices, security alerts, and tips, make sure you subscribe to our blog, and if you have any other questions, feel free to reach out to our team by calling (415) 295-4898.

Tip of the Week: Match Word to Your Style
Analytics Can Fool You


No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Monday, June 01 2020

Captcha Image

By accepting you will be accessing a service provided by a third-party external to

Mobile? Grab this Article!

Qr Code

Tag Cloud

Security Tip of the Week Productivity Technology Best Practices Business Computing Data Backup Data IT Support Privacy Network Security Hosted Solutions Cloud Data Recovery IT Services Software Efficiency Email Managed IT Services Internet Malware Outsourced IT Innovation Business Small Business Tech Term Hackers Cloud Computing Upgrade Business Management Microsoft Cybersecurity Collaboration User Tips Computer Windows 10 Phishing Mobile Devices Google Business Continuity Hardware Communication Managed Service Ransomware Workplace Tips VoIp Smartphones Android Managed Service Provider Backup Paperless Office Server Encryption Quick Tips Office 365 Communications Remote Monitoring Data Management Managed IT Disaster Recovery Mobile Device Internet of Things Network BDR Passwords Windows 7 Browser Holiday Wi-Fi Saving Money Healthcare Artificial Intelligence Vulnerability Business Technology Laptops Managed IT services Applications Save Money Help Desk Smartphone Government Social Media Facebook Document Management Remote Work Miscellaneous Compliance Automation Health Tip of the week Blockchain Vendor Management Information Microsoft Office Employer-Employee Relationship Avoiding Downtime Data Security Users Antivirus Virtualization Project Management Processor Bandwidth Two-factor Authentication Redundancy Scam VPN BYOD IoT Mobility Infrastructure Software as a Service RMM Access Control Virtual Private Network IT Management OneDrive Router Proactive Windows Storage Customer Relationship Management Meetings Chrome Machine Learning Analytics Website Data Loss Maintenance Company Culture Unified Threat Management File Management Managed Services Provider The Internet of Things Remote Workers Gmail Regulations Networking Apps Payment Cards Co-Managed IT Cooperation Management Search Risk Management File Sharing Server Management Hard Drive Net Neutrality Files Gadgets Professional Services Training Managed Services Tablet Assessment Internet Exlporer HIPAA Utility Computing Monitoring Dark Web Augmented Reality Bring Your Own Device Smart Technology Network Management Word Consultation Remote Monitoring and Management Patch Management Computing Financial Operating System Office Password Employees Social Network Time Management Recycling Electronic Health Records Mobile Security Consulting Alert Downtime Flexibility Covid-19 Unified Communications Employee-Employer Relationship Cookies Cables Fleet Tracking Notes Zero-Day Threat Technology Laws Windows Server 2008 Specifications Statistics Migration eWaste Cyberattacks Social Mobile Office Outlook Customer Service Proactive Maintenance Disaster Resistance Solid State Drive Digital Payment Hotspot Servers Emergency Mobile Device Management User Management Multi-Factor Security Shadow IT Operations Vulnerabilities Voice over Internet Protocol Wireless Projects Printer Holidays Managed IT Service Managing Stress Favorites Solid State Drives Recovery Nanotechnology Wires Asset Tracking PowerPoint Backup and Disaster Recovery Display Unified Threat Management Black Friday Bluetooth Chatbots Read Only Security Cameras Value of Managed Services Outsource IT MSP Shortcut Finance Cybercrime Proactive IT Cyber security Mouse Language Mirgation Point of Sale Teamwork Tech Terms Information Technology Outsourcing Money Mobile Computing Wearable Technology Star Wars Return on Investment IT Break Fix Spam Enterprise Content Management Conferencing Options Telephone App Human Error Optimization Cyber Monday Staff Identity Theft Enterprise Resource Planning Lenovo Printing Laptop Permissions Geography Authentication Database Management IT Consulting Computing Infrastructure Websites Cache E-Commerce Shared resources Samsung Theft Going Green Video Conferencing Microsoft Excel Settings Electronic Medical Records Personal Information SharePoint Business Telephone Social Networking 5G Mobile VoIP Fraud Screen Reader OneNote Virtual Assistant Mail Merge Permission Bitcoin User Error Virtual Machines Identity Manufacturing Superfish Remote Worker Vendor Google Calendar Remote Working Modem High-Speed Internet Authorization GDPR Data Breach Alerts SaaS Remote Computing Features Batteries Biometric Travel Tech Support Transportation Active Directory Downloads IT Assessment Virtual Reality G Suite Politics Wireless Internet Big Data Budget Smart Tech How To Wasting Time Address Test Current Events WiFi Credit Cards Firewall Touchscreen Hacking Mobile Private Cloud Smart Devices Development WPA3 Comparison Licensing CIO applications Procurement Gamification Techology Apple Technology Tips Heating/Cooling IT Technicians Cost Management Windows Server Digitize Data Warehousing Motherboard Chromebook Instant Messaging Employer/Employee Relationships Legislation Connectivity Database Computers Distributed Denial of Service Trending Bookmarks Hard Disk Drives ROI Sensors CEO Twitter Students Daniel Stevens Marketing Printers Education Regulation

Latest Blog

While all a business’ technology solutions are important, some are bound to take priority over the others, especially when certain ones become an industry-wide focus. A recent survey evaluated the top concerns of small-to-medium-sized businesses for the coming year. The resu...

Latest News

We are proud to announce that 415 IT and our CEO, Daniel Stevens, were recently featured by CIO Applications. We discussed how and why we serve our clients, as well as some sneak peeks for our future. Read our interview by visiting:  https:...