Category Archives: 2FA

Has two-factor authentication been defeated? A spotlight on 2FA’s latest challenge

Multiple news reports about the defeat of two-factor authentication (2FA) have been making rounds lately.

In November 2018, our friends at ESET discovered a purported Android battery utility tool called “Optimization Android” from a third-party app store. This app was designed to steal money from a user’s PayPal account without relying on stolen credentials. It operates by modifying a device’s Accessibility settings and enabling the use of Android’s overlay accessibility feature. This then allows a malicious accessibility service to mimic the user’s clicks to access the legitimate app and wire money to the criminal’s own PayPal address.

Long story short: This method effectively bypasses 2FA.

Then in mid-December, researchers at the Computer Emergency Response Team in Farsi (CERTFA) Lab released a report about “The Return of Charming Kitten,” a fresh slew of state-backed phishing attacks on individuals involved in sanctions against Iran and others, but focusing more on people based in the United States and Israel. State actors have found a way to fool targets into giving away their Gmail and Yahoo! 2-step verification codes.

Days after CERTFA’s report, Amnesty International broke the news that broad, targeted phishing campaigns were set against thousands of human rights defenders (HRDs), journalists, and political actors in countries throughout the Middle East and Northern Africa (MENA). The threat actors behind at least one campaign had also actively and deliberately taken steps to bypass common forms of 2FA.

A mantis lies in wait

The latest means to circumvent 2FA was made public by Polish security researcher Piotr Duszyński not long after the New Year. He called it Modlishka—the English pronunciation of the Polish word ‘mantis’—and described it as “a flexible and powerful reverse proxy that will take your phishing campaigns to the next level (with minimal effort required from your side).” It was a tool to aid penetration testers in conducting legitimate tests.

With its release, Duszyński emphasized the effectiveness and seriousness of social engineering attacks. In the wrong hands, a tool like Modlishka can be misused to create a compelling and sophisticated phishing campaign that is significantly easier to use but far more difficult to detect and avoid by users.

Overview of collected information from a simulated phishing campaign (Courtesy of Piotr Duszyński)

How Modlishka works

Modlishka sits between the legitimate website it is impersonating and the phishing website the user is seeing.

For this tool to successfully do its job—and, in turn, for the campaign to work—phishing campaign operators must first make their targets believe that they are on the website they expect to be on so that victims will enter their credentials without suspicion. Any interactions the user makes within the phishing page, including entering credentials, are passed through and recorded by Modlishka first before forwarding them to the legitimate website in real time.

This tool also prompts the user for tokens when their accounts have 2FA enabled. However, the phisher should be present to intercept the 2FA token—especially if it’s a time-based, one-time password (TOTP)—from the user and manually input it to the legitimate website themselves before it expires.

Assuming everything went smoothly, the user is then redirected to the legitimate website and successfully logged in to conclude the phishing attack. Below is a video of Modlishka in action.

Courtesy of Piotr Duszyński

How users can protect themselves

To stop Modlishka dead in its tracks, Duszyński advised the use of 2FA hardware tokens, such as Yubikey, RSA SecurID, and the Titan Security Key, that support the Universal 2nd Factor (U2F) standard. According to Matias Brutti, Director of Research and Exploitation at Okta, Push authentication can also render such campaigns less effective.

Since all the incidents we mentioned here are all phishing attempts, it still pays to know what to look out for when determining whether a website, email, text, or other communication is a phish. Never click unknown links without verifying their authenticity first. Always check the URLs in the address bar—and remember, the green padlock is no longer enough to identify whether a site is safe or not.

Furthermore, users might drop the use of SMS 2FA and opt for a stronger second form of authentication, such as an authentication app or biometrics. Make it a point to regularly review account access logs to check if someone other than yourself is attempting to gain entry to your online accounts. Avoid conducting business, especially that involving the exchange of sensitive information or documents, using your personal email. And if you can, put additional encryption in your messages by using Pretty Good Privacy (PGP). Lastly, use password managers—they not only have better memories than their humans, but they also keep you away from phishing sites by checking the URLs on the address bar before auto-populating fields.

For mobile users, avoid downloading apps from third-party stores. Better yet, avoid looking for app utilities you think will optimize your mobile device. For example, if you’re looking to extend battery life, don’t download an app. Adopt some simple steps, such as turning off GPS when you’re not using it, or using the phone in battery-saver mode.

2FA is still good to have

Adopting 2FA is well-known, popular cybersecurity advice we give to those who want to beef up the security—and consequently, the privacy—of their accounts. But it’s also a known fact that 2FA is not bulletproof, hack-proof, or the cybersecurity panacea many assume it to be.

It is true that some forms, such as SMS-based OPTs, are a lot easier to circumvent than others. It is also true that there are more than 10 known ways to defeat 2FA to date. However, this doesn’t mean that 2FA itself is broken. Using 2FA is still far better than having just a user name and password locking your account.

The defeat of certain forms of 2FA isn’t a call for total abandonment nor should it be considered as one. It signals us, the users, to explore and go for better, more advanced forms of 2FA in securing our accounts. It also forces us to re-think our habits, adapt accordingly to this change in the threat landscape, and continue to learn about the latest social engineering tactics and tricks that could target us in the environments and sites we frequent.

Stay safe!

Additional reading:

The post Has two-factor authentication been defeated? A spotlight on 2FA’s latest challenge appeared first on Malwarebytes Labs.

A week in security (January 7 – 13)

Last week on the Malwarebytes Labs blog, we took a look at the Ryuk ransomware attack causing trouble over the holidays, as well as a ransom threat for an Irish transportation company. We explored the realm of SSN scams, and looked at what happens when an early warning system is attacked.

Other cybersecurity news

  • Password reuse problems. Multiple Reddit accounts reported being locked out after site admins blamed “password reuse” for the issue. (Source: The Register)
  • 85 rogue apps pulled from Play Store. Sadly, not before some 9 million downloads had already taken place. (Source: Trend Micro)
  • Home router risk. It seems many home routers aren’t doing enough in the fight against hackers. (Source: Help Net Security)
  • Deletion not allowed. Some people aren’t happy they can’t remove Facebook from their Samsung phones. (Source: Bloomberg)
  • Takedown: How a system admin brought down the notorious “El Chapo.” (Source: USA Today)
  • 2FA under fire. A new pentest tool called Mantis can be used to assist in the phishing of OTP (one time password) codes. (Source: Naked Security) 
  • Facebook falls foul of new security laws in Vietnam. New rules have brought a spot of bother for Facebook, accused of not removing certain types of content and handing over data related to “fraudulent accounts.” (source: Vietnam News)
  • Trading site has leak issue. A user on the newly set up trading platform was able to grab a lot of potentially problematic snippets, including authentication tokens and password reset links. (source: Ars Technica)
  • Local risk to card details. A researcher discovered payment info was being stored locally on machines, potentially exposing them to anyone with physical access. (Source: Hacker One) 
  • Facebook exec swatted. The dangerous “gag” of sending armed law enforcement to an address ends up causing problems for a “cybersecurity executive,” after bogus calls claimed they had “pipe bombs all over the place.” (source: PA Daily post)

Stay safe, everyone!

The post A week in security (January 7 – 13) appeared first on Malwarebytes Labs.

Reddit users locked out of accounts after “security concern”

A large number of Reddit users are being told that they will have to reset their passwords in order to regain access to their accounts following what the site is calling a "security concern."

The lockout has occurred as Reddit's security team investigates what appears to have been an attempt to log into many users' accounts through a credential-stuffing attack.

The post Reddit users locked out of accounts after “security concern” appeared first on The State of Security.

Opinion: Back to the Start for 2FA Adoption?

In a previous post, Tripwire asked contributors what their most memorable event of 2018 was. As a follow-up, guest author Bob Covello expands on his thoughts about two-factor authentication (2FA). We in the infosec community have made enormous progress towards getting multi-factor authentication the recognition it deserves. All the respected folks in the community have […]… Read More

The post Opinion: Back to the Start for 2FA Adoption? appeared first on The State of Security.