Beware: Phishing Scams can Bypass Two-Factor Authentication

Beware: Phishing Scams can Bypass Two-Factor Authentication


Security experts and cybercriminals are constantly trying to one-up each other, and it may seem that the latter group has now gained the upper hand because the latest generation of phishing scams can bypass even two-factor authentication.

Is Two-Factor Authentication Dead?

Two-factor authentication, also called 2FA, is a commonly used security measure that adds another authentication mechanism in addition to a password. This authentication mechanism is either something a user knows (PIN), owns (authentication token), or has (fingerprint).

The idea behind two-factor authentication is simple: even if a cybercriminal gets hold of a password, they won’t be able to gain access to the account protected by it unless they also bypass the second authentication mechanism.

According to Microsoft, two-factor authentication can stop 99.9 percent of attacks dead in their tracks, and Google has a similarly positive message, saying that simply adding a recovery phone number can prevent up to 100 percent of automated bots, 99 percent of bulk phishing attacks, and 66 percent of targeted attacks.

Clearly, two-factor authentication is far from dead, but what about the remaining 0.1 percent? That’s where organizations can potentially lose millions of dollars and suffer an irreparable damage to their reputation.

Man-in-the-Browser (MitB) Attacks

Not too long ago, the FBI delivered a Private Industry Notification (PIN) to warn about two hacker tools that make it possible for cybercriminals with limited technical skills to cut through two-factor authentication.

Called Mureana and NecroBrowser, these two tools were first demonstrated at the Hack in the Box Security Conference in Amsterdam, and they’re intended to work together as a perfect cybercrime duo. Mureana’s job is to intercept traffic between the user and the website the user is trying to visit by creating a transparent reverse proxy capable of capturing credentials and session cookies, while NecroBrowser automates the extraction of data from stolen accounts.

In practice, the Mureana and NecroBrowser may be used as part of a larger phishing scam that starts with a fake email message containing a malicious login link. When the victim clicks on this link, they see a legitimate login page and don’t realize that the phishers are capturing all data in real-time, including passwords, two-factor authentication codes, and session tokens.

The captured session tokens are arguably the most important element of this cyber heist because they give the attackers plenty of time to take advantage of the stolen account.

Defending Against Automated Phishing Attacks

Automated phishing attacks that rely on man-in-the-browser techniques and tools like Mureana and NecroBrowser are worrying because they can be executed at a large scale to target everyone from employees who are working from their homes to executives whose accounts can be used to authorize money transfers and provide access to sensitive information.

According to the FBI and independent security experts alike, two-factor authentication continues to be a strong and effective security measure to protect online accounts, but it should never be the only defense mechanism put in place against phishing scams.

Instead, users need to take a proactive approach and always check the web address before entering their credentials. They should also avoid public Wi-Fi networks when working with sensitive information online and verify unusual requests from superiors and co-workers over the phone or in person.

Organizations should also be proactive and deploy a comprehensive real-time phishing detection and protection solution capable of finding threats inside their email systems to stop phishing attacks before they have a chance to do any real damage.

At BCA, we offer a real-time phishing and fraud defense solution as part of our comprehensive cybersecurity stack, TOTALSecurity. This cloud-delivered solution uses artificial intelligence (AI) to detect phishing threats email gateways can’t see by learning your business’s unique communication patterns and using them to evaluate the trustworthiness of incoming email messages.

With TOTALSecurity, you can effectively thwart all account takeover attempts without negatively affecting your employees’ productivity. Contact us to learn more about this product and how it can protect your organization against the latest cyber threats.