Implementation of two-factor authentication is often the advice provided by cybersecurity professionals worldwide when a high-profile phishing attack makes the news. Two-factor authentication is a legitimate method of secondary security that organisations and institutions should adopt, but it’s not as dependable. Threat actors and cybercriminals are always finding ways to break through the cybersecurity protocols and practices set in place and they have now learned to get around two-factor authentication.
Two-factor authentication is a process by which a user is authenticated by two separate methods. Many institutions have websites that use two-factor authentication, this process means users have to authenticate their credentials using a shared pin unless a cookie is set on the browser. This pin can be distributed via email, text message, or voice call.
The benefits of two-factor authentication provide an extra layer of security to a transaction or accounts (such as emails) means that a would-be hacker would need both keys to access the account, a malicious user who had your password but not your 2FA key could not access and highjack your email account and use that data to access banking or other services.
One of the main downsides to two-factor authentication is that it requires some sort of transactional setting. For instance, if you use a VPN service that requires two-factor authentication, the session you establish is authenticated until you disconnect. This isn’t a drawback in this setting, but in a case like using your mobile device to access email, it becomes very problematic to use the two-factor authentication method every time you want to check your mail or send a message.
This is a significant flaw that comes with two-factor authentication. If individuals fall susceptible to a phishing message distributed by threat actors that requires them to log in to their account, and the phishing email contains a link to a spoof website that is made to look like the actual bank, the user goes to the phishing site and enters their login credentials and their two-factor authentication data. The phishing site then uses the two parts to log in as the user to the financial institution. Since the user “trusted” the phishing site, they gave away their credentials, rendering the second factor useless.
Once a phishing victim adds their two-factor authentication code to a website, the threat actor can take the session cookie from a developer tool in a web browser, and as a result the threat actor then does not need the individuals’ credentials, threat actors would only need to paste the session cookie into a browser to log in to the individual’s account.
Cyber security professionals and specialists have demonstrated an automated phishing attack that can cut through that added layer of security also called 2FA. This attack potentially duped unsuspecting users into sharing their private credentials.
The attack was first demonstrated at a Hack in the Box Security Conference in June to show how threat actors are getting better at diffusing the extra layers of security, despite tools like two-factor authentication. The hack utilises Muraena and NecroBrowser, these two tools work cohesively together to automate the cyberattacks.
Muraena intercepts traffic between the user and the target website. Muraena acts as a substitute between the target and the genuine website. Once Muraena has the victim on a phoney site that looks like a real login page, users will be asked to enter their login credentials, and 2FA code. Once the Muraena authenticates the session’s cookie, it is then passed along to NecroBrowser, which can create windows to keep track of the private accounts of tens of thousands of victims.
Despite this hack, two-factor authentication is still considered one of the best security practices and fortunately, Orpheus Cyber’s cyber threat intelligence and cyber risk rating platform helps organisations protect their vital assets, find out more here.