With 2FA You Thought You Were Safe

, , , , ,

Back in August 2020, we told you all about 2 Factor Authentication (2FA) and how it improves internet security. With 2FA you thought you were safe.

New Developments

You know the old saying “If you build it, they will come?” It can now be replaced with “If you secure it, they will find a way to hack it.” That is exactly what has happened with 2FA.

Although with 2FA you thought you were safe, hackers, using phishing tactics, have figured out how to get around your 2FA protections.

Phishing Toolkits

According to a Stony Brook University study, in conjunction with Palo Alto Networks, a study recently discovered the appearance and distribution of “phishing toolkits.” These toolkits are “a set of scripts/programs that allow a phisher to automatically set up Phishing websites that spoof the legitimate websites of different brands including the graphics (i.e., images and logos) displayed on these websites.”

The malicious programs are then used to phish and steal 2FA login data from users of major online websites. They steal your 2FA authentication cookies which gives them two ways to override the security that made you think you were safe.

These toolkits have existed for a long time, but they have never been as widely distributed or as easy to obtain as they are now.

The Process

The two ways hackers can use these phishing toolkits are:

  1. They can infect a victim’s computer with data-stealing malware; or
  2. They can steal the cookies in transit—along with your password—before they ever reach the site that is trying to authenticate you.

This malicious act is accomplished by the hacker phishing the victim (you), capturing the internet traffic, and redirecting it to their phishing site. This way the hacker is between you and the website you were attempting to log into.

Tool Kit Examples

Below is a brief overview of a few examples of such toolkits:

  1. Rock Phish: is a Phishing toolkit popular in the hacking community since 2005. It allows even non-techies to launch Phishing attacks. The kit allows a single website with multiple DNS names to host a variety of phished web pages, covering numerous organizations and institutes.
  2. Xrenoder Trojan Spyware: It resets the homepage and/or the search settings to point to other websites usually for commercial purposes or porn traffic.
  3. Cpanel Google: It is a Trojan Spyware that modifies the DNS entry in the host’s file to point to its own website. If Google gets redirected to its website, the victim may end up having a version of a website prepared by the phisher.

One of the biggest problems with these toolkits is that by capturing 2FA data, the hack is ongoing for as long as the victim continues to visit the site without changing the 2FA number.

The Next Step

Does all this mean you should discard a 2FA policy? Actually, it means just the opposite.

Security is more important than ever when it comes to your data, so the more ways you have of protecting it, the better. The best things to do now are to be more aware of the services you log in to and reduce the timeout period on 2FA cookies. Our recommendation is to mark them as “this tab, this visit only.”

What is the absolute best way to stay secure? Don’t open or click on links you don’t recognize; be cognizant of the sites you visit and make sure they are valid. Additionally, be relentless in educating your employees on their part in avoiding phishing attacks.