Get Started Today!  (415) 295-4898

croom new

415 IT Blog

With Phishing Attacks Beating 2FA, You Need to Be Able to Spot Them

With Phishing Attacks Beating 2FA, You Need to Be Able to Spot Them

Unfortunately, one of the most effective defenses against phishing attacks has suddenly become a lot less dependable. This means that you and your users must be ready to catch these attempts instead. Here, we’ll review a few new attacks that can be included in a phishing attempt, and how you and your users can better identify them for yourselves.

How Has Two-Factor Authentication (2FA) Been Defeated?

There are a few different methods that have been leveraged to bypass the security benefits that 2FA is supposed to provide.

On a very basic level, some phishing attacks have been successful in convincing the user to hand over their credentials and the 2FA code that is generated when a login attempt is made. According to Amnesty International, one group of hackers has been sending out phishing emails that link the recipient to a convincing, yet fake, page to reset their Google password. In some cases, fake emails like this can look very convincing, which makes this scheme that much more effective.

As Amnesty International investigated these attacks, they discovered that the attacks were also leveraging automation to automatically launch Chrome and submit whatever the user entered on their end. This means that the 30-second time limit on 2FA credentials was of no concern.

In November 2018, an application on a third-party app store disguised as an Android battery utility tool was discovered to actually be a means of stealing funds from a user’s PayPal account. To do so, this application would alter the device’s Accessibility settings to enable the accessibility overlay feature. Once this was in place, the user’s clicks could be mimicked, allowing an attacker to send funds to their own PayPal account.

Another means of attack was actually shared publicly by Piotr Duszyński, a Polish security researcher. His method, named Modlishka, creates a reverse proxy that intercepts and records credentials as the user attempts to input them into the impersonated website. Modlishka then sends the credentials to the real website, concealing its theft of the user’s credentials. Worse, if the person leveraging Modlishka is present, they can steal 2FA credentials and quickly leverage them for themselves.

How to Protect Yourself Against 2FA Phishing

First and foremost, while it isn’t an impenetrable method, you don’t want to pass up on 2FA completely, although some methods of 2FA are becoming much more preferable than others. At the moment, the safest form of 2FA is to utilize hardware tokens with U2F protocol.

Even more importantly, you need your entire team to be able to identify the signs of a phishing attempt. While attacks like these can make it more challenging, a little bit of diligence can assist greatly in preventing them.

When all is said and done, 2FA fishing is just like regular phishing… there’s just the extra step of replicating the need for a second authentication factor. Therefore, a few general best practices for avoiding any misleading and malicious website should do.

First of  all, you need to double-check and make sure you’re actually on the website you wanted to visit. For instance, if you’re trying to access your Google account, the login url won’t be www - logintogoogle - dot com. Website spoofing is a very real way that (as evidenced above) attackers will try to fool users into handing over credentials.

There are many other signs that a website, or an email, may be an attempt to phish you. Google has actually put together a very educational online activity on one of the many websites owned by Alphabet, Inc. Put your phishing identification skills to the test by visiting, and encourage the rest of your staff to do the same!

For more best practices, security alerts, and tips, make sure you subscribe to our blog, and if you have any other questions, feel free to reach out to our team by calling (415) 295-4898.

Tip of the Week: Match Word to Your Style
Analytics Can Fool You


No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Sunday, July 21 2019

Captcha Image

Mobile? Grab this Article!

Qr Code

Tag Cloud

Security Tip of the Week Technology Productivity Best Practices Business Computing Data Backup Hosted Solutions Privacy Network Security Cloud Software Data Recovery Data IT Support Email Malware Outsourced IT Tech Term IT Services Business Internet Hackers Computer Managed IT Services Innovation Cloud Computing Business Management Collaboration Small Business User Tips Ransomware Windows 10 Microsoft Hardware Paperless Office Mobile Devices Android Upgrade Efficiency Google Business Continuity VoIp Phishing Encryption Server Managed Service Provider Vulnerability Smartphones Communication Remote Monitoring Communications Office 365 Business Technology Managed Service Internet of Things Quick Tips Managed IT services Save Money Workplace Tips Passwords Applications Cybersecurity Data Management Managed IT Browser Holiday Laptops Backup Artificial Intelligence Saving Money Information Wi-Fi Document Management Government Disaster Recovery Bandwidth Scam Mobile Device Tip of the week Healthcare Blockchain Processor Employer-Employee Relationship Compliance Smartphone Antivirus Project Management Analytics Social Media Two-factor Authentication VPN Router BYOD Automation Infrastructure Website Microsoft Office Vendor Management Windows IT Management Data Security Customer Relationship Management Chrome BDR Management RMM Facebook Data Loss File Sharing Alert Proactive Windows 7 Redundancy Maintenance Mobile Security Help Desk Storage Unified Communications HIPAA Remote Monitoring and Management Bring Your Own Device Unified Threat Management Networking Operating System Gmail Machine Learning The Internet of Things Cooperation Employees Risk Management Access Control Server Management Downtime Files Virtual Private Network Software as a Service Net Neutrality Tablet Network Assessment Company Culture Word Remote Workers Internet Exlporer Smart Technology Users Patch Management Network Management IoT Consultation Regulations Nanotechnology Wires Conferencing Solid State Drives Virtual Reality Chatbots Voice over Internet Protocol Projects Address WiFi Travel Hacking Printing Firewall Mirgation Hard Drive Human Error PowerPoint Display Mobile Computing Touchscreen Comparison Licensing Wearable Technology Star Wars Authentication Cybercrime Techology Spam Enterprise Content Management Time Management E-Commerce Theft Teamwork App Meetings Options Data Warehousing Flexibility Identity Theft Enterprise Resource Planning Monitoring Heating/Cooling Electronic Medical Records Return on Investment Technology Tips Geography Trending Remote Worker OneDrive Distributed Denial of Service Cache OneNote Permission Professional Services Training Technology Laws Legislation Shared resources Emergency Multi-Factor Security Specifications Utility Computing Authorization Database Management Outlook Disaster Resistance Social Networking Features Statistics Financial Hotspot Screen Reader Politics 5G Operations Identity Servers Settings Printer Digital Payment Modem High-Speed Internet Office Mobility Private Cloud Manufacturing Search Managed IT Service Remote Computing How To Test Virtual Assistant Bitcoin Unified Threat Management Virtualization Black Friday Tech Support WPA3 Recovery GDPR Shortcut Proactive IT G Suite Electronic Health Records Bluetooth Procurement Mouse Language Smart Tech Instant Messaging Wireless Internet Money Mobile Consulting Transportation Development Bookmarks ROI Password Lenovo Break Fix Recycling Employee-Employer Relationship Wasting Time Current Events CIO applications Samsung Cyber Monday Staff IT Technicians Cost Management Gadgets Fleet Tracking Zero-Day Threat IT Consulting Permissions Motherboard Chromebook Cyberattacks Social SharePoint Computing Infrastructure Connectivity Customer Service Employer/Employee Relationships Microsoft Excel Avoiding Downtime Managed Services Provider Websites Mobile Device Management Cookies Cables Favorites Apps Hard Disk Drives Superfish Dark Web Augmented Reality Migration eWaste Wireless Database Miscellaneous Mail Merge User Error Asset Tracking Backup and Disaster Recovery Notes Data Breach Google Calendar Fraud Vulnerabilities Read Only Security Cameras Downloads Computing Alerts MSP Finance Proactive Maintenance Managing Stress Point of Sale SaaS Tech Terms Daniel Stevens Printers Regulation Marketing Education CEO Twitter Students

Latest Blog

Accountants are asked a lot of questions. You’d expect as much as they manage a lot of organizational money, and can give small business owners and executives straight-forward advice about whether or not investments make sense for a company. With the recent increase in techn...

Latest News

We are proud to announce that 415 IT and our CEO, Daniel Stevens, were recently featured by CIO Applications. We discussed how and why we serve our clients, as well as some sneak peeks for our future. Read our interview by visiting:  https:...