Get Started Today!  (415) 295-4898

croom new

415 IT Blog

With Phishing Attacks Beating 2FA, You Need to Be Able to Spot Them

With Phishing Attacks Beating 2FA, You Need to Be Able to Spot Them

Unfortunately, one of the most effective defenses against phishing attacks has suddenly become a lot less dependable. This means that you and your users must be ready to catch these attempts instead. Here, we’ll review a few new attacks that can be included in a phishing attempt, and how you and your users can better identify them for yourselves.

How Has Two-Factor Authentication (2FA) Been Defeated?

There are a few different methods that have been leveraged to bypass the security benefits that 2FA is supposed to provide.

On a very basic level, some phishing attacks have been successful in convincing the user to hand over their credentials and the 2FA code that is generated when a login attempt is made. According to Amnesty International, one group of hackers has been sending out phishing emails that link the recipient to a convincing, yet fake, page to reset their Google password. In some cases, fake emails like this can look very convincing, which makes this scheme that much more effective.

As Amnesty International investigated these attacks, they discovered that the attacks were also leveraging automation to automatically launch Chrome and submit whatever the user entered on their end. This means that the 30-second time limit on 2FA credentials was of no concern.

In November 2018, an application on a third-party app store disguised as an Android battery utility tool was discovered to actually be a means of stealing funds from a user’s PayPal account. To do so, this application would alter the device’s Accessibility settings to enable the accessibility overlay feature. Once this was in place, the user’s clicks could be mimicked, allowing an attacker to send funds to their own PayPal account.

Another means of attack was actually shared publicly by Piotr Duszyński, a Polish security researcher. His method, named Modlishka, creates a reverse proxy that intercepts and records credentials as the user attempts to input them into the impersonated website. Modlishka then sends the credentials to the real website, concealing its theft of the user’s credentials. Worse, if the person leveraging Modlishka is present, they can steal 2FA credentials and quickly leverage them for themselves.

How to Protect Yourself Against 2FA Phishing

First and foremost, while it isn’t an impenetrable method, you don’t want to pass up on 2FA completely, although some methods of 2FA are becoming much more preferable than others. At the moment, the safest form of 2FA is to utilize hardware tokens with U2F protocol.

Even more importantly, you need your entire team to be able to identify the signs of a phishing attempt. While attacks like these can make it more challenging, a little bit of diligence can assist greatly in preventing them.

When all is said and done, 2FA fishing is just like regular phishing… there’s just the extra step of replicating the need for a second authentication factor. Therefore, a few general best practices for avoiding any misleading and malicious website should do.

First of  all, you need to double-check and make sure you’re actually on the website you wanted to visit. For instance, if you’re trying to access your Google account, the login url won’t be www - logintogoogle - dot com. Website spoofing is a very real way that (as evidenced above) attackers will try to fool users into handing over credentials.

There are many other signs that a website, or an email, may be an attempt to phish you. Google has actually put together a very educational online activity on one of the many websites owned by Alphabet, Inc. Put your phishing identification skills to the test by visiting, and encourage the rest of your staff to do the same!

For more best practices, security alerts, and tips, make sure you subscribe to our blog, and if you have any other questions, feel free to reach out to our team by calling (415) 295-4898.

Tip of the Week: Match Word to Your Style
Analytics Can Fool You


No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Sunday, May 19 2019

Captcha Image

Mobile? Grab this Article!

Qr Code

Tag Cloud

Security Tip of the Week Technology Best Practices Productivity Business Computing Data Backup Hosted Solutions Privacy Network Security Cloud Email Data Recovery IT Support Malware Data Tech Term Business Outsourced IT Software IT Services Internet Hackers Innovation Managed IT Services Cloud Computing Business Management Small Business Ransomware Google Efficiency User Tips Windows 10 Paperless Office Mobile Devices Android Upgrade Collaboration Hardware Computer Encryption Managed Service Provider Server VoIp Communication Business Continuity Microsoft Vulnerability Phishing Remote Monitoring Holiday Backup Browser Artificial Intelligence Office 365 Internet of Things Business Technology Managed IT services Passwords Workplace Tips Applications Data Management Smartphones Managed IT Communications Antivirus Cybersecurity Saving Money Compliance Information Wi-Fi Document Management Government Smartphone Bandwidth Mobile Device Project Management Managed Service Tip of the week Disaster Recovery Scam Healthcare Employer-Employee Relationship Website Chrome Microsoft Office Social Media Analytics Data Security BDR BYOD Automation Two-factor Authentication Router Blockchain VPN Vendor Management Quick Tips Infrastructure Save Money IT Management Customer Relationship Management Files Access Control Network Management Remote Workers Internet Exlporer Smart Technology Virtual Private Network Windows Company Culture Facebook Word IoT Proactive Patch Management Regulations Mobile Security Management File Sharing Help Desk Unified Threat Management Unified Communications Remote Monitoring and Management Data Loss Alert Redundancy Maintenance Gmail Storage The Internet of Things Cooperation Server Management HIPAA Employees Risk Management Bring Your Own Device Networking Machine Learning Software as a Service Net Neutrality Assessment Tablet Network Users Options Development Favorites Apps Dark Web Augmented Reality Windows 7 Recycling Wireless Motherboard Chromebook Read Only Security Cameras Professional Services SaaS Lenovo IT Technicians Cost Management Asset Tracking Backup and Disaster Recovery Google Calendar Fraud OneDrive Consultation Computing Alerts Samsung Connectivity MSP Finance Shared resources IT Consulting Point of Sale Tech Terms SharePoint Cookies Cables Conferencing Virtual Reality Settings Touchscreen Hacking Migration eWaste RMM Travel User Error Vulnerabilities Printing Firewall Virtual Assistant Time Management Superfish Human Error Manufacturing Mail Merge E-Commerce Theft Comparison Licensing Heating/Cooling Authentication Virtualization Data Breach Managing Stress Technology Tips Downloads Nanotechnology Wires Meetings Data Warehousing Flexibility Transportation Trending Chatbots Monitoring Electronic Medical Records Address WiFi Mobile Computing Remote Worker Distributed Denial of Service Wasting Time Statistics Mirgation Hard Drive OneNote Permission Legislation Password Features Financial Specifications Servers Wearable Technology Star Wars Authorization CIO applications Spam Enterprise Content Management Digital Payment Hotspot App Politics Operations Mobility Techology Identity Theft Enterprise Resource Planning Operating System Hard Disk Drives Recovery Geography Office Private Cloud Managed IT Service Database Bluetooth Cache How To Test Electronic Health Records Procurement Black Friday Notes Utility Computing WPA3 Technology Laws Social Networking Mouse Language Emergency Multi-Factor Security Screen Reader Instant Messaging Money Outlook Disaster Resistance Identity Consulting Downtime Gadgets Solid State Drives Printer Modem High-Speed Internet Bookmarks ROI Break Fix Voice over Internet Protocol Remote Computing Employee-Employer Relationship G Suite Cyberattacks Social Cyber Monday Staff PowerPoint Avoiding Downtime Websites Search Tech Support Fleet Tracking Zero-Day Threat Permissions Unified Threat Management Computing Infrastructure Smart Tech Customer Service Microsoft Excel Teamwork Shortcut Proactive IT Mobile Managed Services Provider Mobile Device Management 5G Printers Twitter Wireless Internet Education CEO Marketing Regulation Students Daniel Stevens

Latest Blog

Subscription-based solutions are quite popular these days, and Microsoft Office 365 is perhaps one of the most important ones on the market. However, the services provided by Office 365 are contingent upon successfully renewing the subscription, making it critical that the u...

Latest News

We are proud to announce that 415 IT and our CEO, Daniel Stevens, were recently featured by CIO Applications. We discussed how and why we serve our clients, as well as some sneak peeks for our future. Read our interview by visiting:  https:...