If your organization is one of the smart ones to mandate two factor authentication protection, that sense of security that comes with it may have just gotten more elusive once again. Malicious actors are getting increasingly skilled at bypassing its protections and exposing you once again. Let’s dive into the components of this attack vector and describe the best methods to prevent and remediate.

What is Phishing?

Like actual fishing, it’s no fun to be on the end of the hook, but this is also, unfortunately, inevitable for most. The bait is a phony email promising millions, a phone caller claiming to be your bank, or a fake website login form waiting to capture your sensitive password. For the brevity’s sake, let’s focus on digital phishing. This occurs when a malicious actor, masquerading as a trusted entity, tricks its victim into opening an email, instant message, or text message. The recipient is then tricked into clicking a malicious link, which can lead to the installation of malware, the freezing of the system as part of a ransomware attack or the capture of sensitive information.

Digital phishing is a numbers game. A malicious actor sending out thousands of fraudulent messages can net significant information and sums of money, even if only a small percentage become victims. Malicious actors go to great lengths to mimic actual messages from a spoofed organization by using the same phrasing, typefaces, logos, and signatures to make messages appear legitimate. Additionally, malicious actors try to push their recipients into action by creating a sense of urgency. For example, an email could threaten account expiration and place the recipient on a timer and therefore, applying such pressure causes the user to be less diligent and more susceptible to phishing attempts.

Digital phishing has been around since the adoption of the Internet and only grows in methodology and efficacy. To help understand its spread, consider the below statistics:

Phishing attempts grow ~65% per year

76% of organizations report being a victim of a phishing attack

30% of digital phishing messages are opened by recipients and 12% of them click on a malicious attachment or link

Phishing attacks consist of 95% of all attacks on enterprise networks

Nearly 1.5 million new phishing sites are created each month

What is 2FA?

Before addressing the question ‘What is 2FA?’ let’s consider why it’s important to do everything you can to improve your security posture. With our dependency on mobile devices and laptops, it’s no wonder our digital accounts have become a magnet for malicious actors. Luckily, it’s easy for your organization to add an extra level of protection to user accounts in the form of two factor authentication, also commonly referred to as 2FA.

Two factor authentication is an extra layer of security used to make sure that people trying to gain access to an online account are who they say they are. First, a user will enter their username and a password. Instead of immediately gaining access, the user is required to provide another piece of information. This second factor could come from one of the following categories:

Something you know : This could be a personal identification number (PIN), a password, answers to “secret questions” or a specific keystroke pattern

: This could be a personal identification number (PIN), a password, answers to “secret questions” or a specific keystroke pattern Something you have : Typically, a user would have something in their possession, like a credit card, a smartphone, or a small hardware token

: Typically, a user would have something in their possession, like a credit card, a smartphone, or a small hardware token Something you are: This category is a little more advanced, and might include biometric pattern of a fingerprint, an iris scan, or a voice print

Two factor authentication typically comes in to the form of the following:

Hardware Token : oldest form of 2FA, RSA Key Fob.

: oldest form of 2FA, RSA Key Fob. SMS or Voice Based : phone based through a text message of phone call.

: phone based through a text message of phone call. Software Token : most popular, software generated and time based typically through an app.

: most popular, software generated and time based typically through an app. Push Notification : an alert is sent to upon an authentication request that requires approval.

: an alert is sent to upon an authentication request that requires approval. Biometric: you, the user, are the token.

Phishing Pole to Bypass Your 2FA

In this particular attack vector, malicious actors deceive their victims by sending fake alerts from email addresses such as notifications.mailservices@gmail[.]com, noreply.customermails@gmail[.]com, customer]email-delivery[.]info etc. stating that unauthorized individuals are trying to access their accounts. Pretty much everyone on the Internet considers Google’s main domain (google.com) to be a safe and secure address and malicious actors use this fact against their victims and create fake pages on sites.google.com (a subdomain of google.com). Google’s Site service gives its users an ability to show various contents on it and naturally, malicious actors leverage this ability to send fake alerts and redirect their victims to insecure websites or embedded phishing pages as an iframe on those pages. Instead of using text based links in phishing emails, malicious actors use images to bypass Google’s security and anti-phishing system. Lastly, the most important part of this particular attack chain is the use of a separate hidden image in the body of the email to notify the attackers when a victim opens the email to prepare for bypassing two factor authentication and compromise their victims in real time.

Once a victim enters its username and password, the malicious actor checks those credentials in real time and if correct, the victim is prompted for second step of two factor authentication, a verification code to your phone. The most sophisticated part of this attack vector is spoofing a unique verification code to your phone via plain text or SMS, but in reality this SMS code is not spoofed at all. A malicious actor already has access to your login credentials and initiates the SMS code from within the account and presents a fake webpage to capture the legitimate code its victim receives. The key to all this is that the verification code is valid for 30 seconds and that is long enough. With everything they need, malicious actors can access your code with stolen login credentials and a unique verification code bypassing two factor authentication. Not good!

To thwart this particular attack vector, Google and major providers have put in place measures to detect login requests from unknown geographical locations. And sure enough, malicious actors are bypassing this security feature through the use of proxy and VPN tunneling from well-known countries in the world.

The most troubling part of this particular attack vector is the proliferation of easily accessible phishing “kits” that automate the aforementioned process and can be deployed without any real expertise.

Plighting the Phish

There are two generally accepted methods to stop phishing attempts to bypass two factor authentication on Google.

U2F: A standard key developed by the Fido Alliance that connects through a USB port on your desktop or laptop, Bluetooth of Near Field Communication (NFC) on your phone Advanced Protection Program by Google: A security key to access any login based Google account. Deduction: Any phishing attempt asking for anything other than the two aforementioned methods tells you that it is fake.





Helical Inc

www.helical-inc.com