Two-Factor Authentication (2FA) has generally been thought of as the best way you can secure your private logins for a while now.
Unfortunately, according to a recent post by software security company KnowBe4, phishing attacks have evolved again and now pose a serious threat to 2FA’s effectiveness.
As KnowBe4 wrote:
“Google researchers are seeing more phishing attacks that are 2FA-aware. Attackers are realizing more organizations are embracing two-factor authentication (2FA) as a means of thwarting phishing attacks seeking to compromise credentials. By using a second authentication factor (which usually is a SMS-based verification code), attackers who only capture usernames and passwords have little use for the details collected.”
In short, cybercriminals have adapted to this growing defense tool by going the extra mile and tying SMS verification — a key step in the 2FA process — into their hacking attempt.
Here’s how the overall process might play out:
- A user receives an email appearing to come from a reputable source like Google, requesting that they take a look at something in their account
- The user clicks on the link and is directed to an official-looking login page, announcing that the user should receive an SMS message with a login code shortly
- The user receives the code and enters it into the login form, giving the cybercriminal access to all the user’s information on Google
While so far this level of sophistication has only been discovered on Google, as KnowBe4 notes, “Today, it’s Google. Tomorrow, you can expect attackers to attempt this on every 2FA platform that uses some kind of single sign-on.”
Since the requests and email landing pages look authentic and users may be caught off guard by the extra step these attacks are requesting, this will be a difficult attack to stop once it becomes more widespread.
Until new defense technologies are developed, your best bet moving forward is to educate your organization about these threats and continue to preach a doctrine of cybersecurity awareness. An authentication request may seem official, but users should always thoroughly verify the email address these requests are coming from and then simply ask themselves, “Is there any real reason I should be receiving this right now?”
If there is any doubt at all, forward the message on to a member of your IT team. Don’t risk it.
Author Nikolai Vargas, Vice President of Client Services, CTO