HOW HACKERS ARE USING PHISHING TO BYPASS 2FA

So how can these generally secure services be accessed by attackers when

2FA is enabled? Here’s an example of such an attack, using the Google
account of a high-value target – though this would also work for a hacker
targeting any employee of any organization, and crucially for any type of
account.

Distributing fake login pages to bypass 2FA

As phishing has evolved and moved increasingly towards mobile, phishers
have also looked beyond email to distribute phishing links. Our own research
suggests that 81% of phishing attacks now take place outside email and are
increasingly targeting messaging and social media apps like Skype,
WhatsApp, SMS (‘smishing’), and even Tinder. To make matters worse, users
are 3 times more likely to click on a phishing link on mobile than desktop.

An attack begins when a phishing link is distributed to the target, using a

fake version of a page that they know the target will be interested in. One
popular example is something embarrassing or sensitive, such as messages
suggesting someone’s photos have been revealed somewhere online.
Another would be a concerning message sent internally (or shared via
Facebook) that the target’s salary might have been published somewhere
online.
Regardless of the specific technique used, the hacker will eventually find a
way to divert the target to a fake login page for the desired service (in this
case Google). This landing page is a very accurate copy of the Google login
page, and even traditional phishing detection methods may not work.
On mobile, this is amplified, with user attention typically less focused and
other unique factors also playing a role: such as the smaller screen size and
the obscured domain information. Even observation of the URL may not
always be sufficient for detection. Many modern mobile phishing attacks
make use of ‘blank’ emoji in the domain name (google.com.⚪⚪⚪⚪ will show
as invisible in many browsers) and an increasing number have taken
advantage of free certificate services to make sure that even these phishing
pages are hosted on supposedly ‘secure’ and registered domains. The threat
research team at Wandera also recently discovered an uptick in punycode
attacks targeting mobile users with malicious domains that use unicode
characters in the domain to imitate popular brands including Google, Adidas,
Rolex and British Airways.

How a phishing landing page can be used to bypass

2FA
This diagram shows how the attack can be undertaken. The left hand side,
highlighted in blue, illustrates the experience from the target’s perspective,
having been directed to a fake login page. The grey actions to the right are
the actions taken by the attacker.

To explain this process in detail, it begins with the victim entering a login
page for Office365, iCloud, Paypal etc. The target, believing the landing page
to be authentic, enters their credentials into the fake login form. The fake
login form then prompts the user with a two factor SMS request.

Meanwhile, the hacker, with access to all of the credentials entered into this
page, takes the target’s username and password and enters them into the
legitimate Google site. This can even be an automated process to carry out
this attack at scale.
After entering these details to try and access the account, Google’s real 2FA
protection kicks in and asks the hacker for the 2FA code. By doing this, an
SMS is sent to the target’s phone by Google. The hacker doesn’t even need
to know the target’s phone number.
As this attack takes place in real-time, this SMS is triggered by the hacker
within 30 seconds of the initial phishing attempt. The target then receives a
legitimate text from Google, which includes the 2FA code. As this is genuinely
from Google, there will be nothing unusual about the text – meaning there is
no cause for suspicion by the target.
The target enters this code into the phishing page, thus successfully passing
the 2FA prompt. Unknown to the target, any code will have worked in the
field as the whole login procedure is only used for harvesting credentials and
not for testing the authenticity of the target’s account information.
The code that the target enters into this field is immediately visible to the
hacker. The attacker’s next step is to use this code to complete the real
Google login process, and thus gain access to the target’s account.

Preventing this attack

When exploiting a service like Apple, Google or Microsoft, this often presents
the keys to a wide range of services, including all sorts of sensitive
information.
This attack shows that even the protection of 2FA is not enough to totally
prevent data loss events. On mobile, this has become a particular area of
concern for many businesses. Organizations with a serious approach to
security have been embracing large-scale education programs to ensure
employees are suitably trained when it comes to detecting a phishing
attempt, and recognize that these attacks take place across thousands of
different channels and not just their inbox).
Yet training alone is unlikely to be enough. That’s why a number of the
world’s leading organizations have employed Wandera, which automatically
blocks connections to known – and unknown – phishing domains. The reality
is that even the most shrewd of employees are still vulnerable to mistakenly
click on what could be a malicious link. Whenever an employee attempts to
access any one of these millions of suspicious domains, security teams can
feel safe that Wandera will prevent the page from ever loading, stopping the
attack before it has even begun.
[text-blocks id=”phishing-report”]