Phishing Attack Bypasses Two-Factor Authentication

Hacker Kevin Mitnick demonstrates a phishing attack designed to abuse multi-factor authentication and take over targets' accounts.

Businesses and consumers around the world are encouraged to adopt two-factor authentication as a means of strengthening login security. But 2FA isn't ironclad: attackers are finding ways to circumvent the common best practice. In this case, they use social engineering.

A new exploit, demonstrated by KnowBe4 chief hacking officer Kevin Mitnick, lets threat actors access target accounts with a phishing attack. The tool to do this was originally developed by white hat hacker Kuba Gretzky, who dubbed it evilginx and explains it in a technical blog post.

It starts with typosquatting, a practice in which hackers create malicious URLs designed to look similar to websites people know. Mitnick starts his demo by opening a fake email from LinkedIn and points out its origin is "llnked.com" - a misspelling people will likely overlook.

Those who fall for the trick and click the email's malicious link are redirected to a login page where they enter their username, password, and eventually an authentication code sent to their mobile device. Meanwhile, the attacker can see a separate window where the victim's username, password, and a different six-digit code are displayed.

"This is not the actual 6-digit code that was intercepted, because you can't use the 6-digit code again," Mitnick says in the demo. "What we were able to do was intercept the session cookie."

Read the whole cool article at the source.

Source: DARKReading

Topics: Social Engineering, session Cookie intercept, Speaking Engagements, Stu Sjouwerman, fake email, typosquatting, @FA, Password Management, KnowBe4, LinkedIn, malicious URL, two-factor authentication bypass, phishing, Kevin Mitnick, Kuba Gretzky

Latest Posts

Kevin offers three excellent presentations, two are based on his best-selling books. His presentations are akin to technology magic shows that educate and inform while keeping people on the edge of their seats. He offers expert commentary on issues related to information security and increases “security awareness.”

6 Types of Social Engineering Attacks and How to Prevent Them

Social engineering attacks account for a massive portion of all cyber-attacks.

Read more ›

What You Get When You Invest in Social Engineering Testing with Mitnick Security

When testing your employees' social engineering readiness, your teams need simulated attacks that feel as if they’re coming from a nefarious engineer...

Read more ›

Mitnick Security: Ransomware Awareness Training

Ransomware is a type of malware that prevents accessibility to either a single computer or an entire network until a ransom is paid. This can result i..

Read more ›
tech-texture-bg