Dear readers of Hacker's Station, today we will return to the topic of Phishing and password security, a topic already covered in some previous articles, in detail we will go to see a Phishing technique to circumvent two-factor authentication.
The two-factor authentication system (considered a standard for secure access to resources), however, has some weaknesses that could be used by an attacker to carry out targeted phishing attacks.
All this is possible as the belief that you are dealing with a secure system can make certain operations perform automatically without due attention.
In this way, an attacker could fraudulently access restricted areas.
Two-factor authentication : criticalities and advantages
Two-factor authentication allows you to strengthen the password mechanism, although it is not the best, it is still widely considered a best practice to protect our accounts and our data on the various systems.
The best thing would be to have three-factor authentication:
- What you know (for example the password);
- Something you have (token, phone);
- What you are (biometric data).
However, such a system would represent obvious difficulties especially with regard to identification and access to websites.
Probably for this reason two-factor authentication, (represented by the combination of password and token / OTP - One Time Password), is becoming increasingly popular.
We find this system in delicate applications, such as internet banking sites, e-mail or social network profiles.
It is definitely more secure than just using the password (it has been shown to be largely crackable or bypassable).
Even adopting a best practice, we will not be 100% safe and paradoxically it could lead to a lowering of the perception of risk.
turn the two factor authentication system with phishing
The article "When Best Practice Isn't Good Enough: Large Campaigns of Phishing Attacks in Middle East and North Africa Target Privacy-Conscious Users" published on the Amnesty International website (available at this link: https://www.amnesty.org /en/latest/research/2018/12/when-best-practice-is-not-good-enough
shows how simple it is to exploit the false sense of security of users even if they are prepared.
The cited article reports a statistic of a massive phishing campaign, carried out in the Middle East and North Africa, designed to bypass the two-factor authentication system.
The system created is complex and has as its objective users who have a minimal perception of the measures to be taken to secure their account.
DESCRIPTION OF THE ATTACK
The attackers have acquired sites with a domain practically the same as the original one (for example, they have only changed the top-level domain), and then build an identical site.
The acquisition of the domain allowed them to install a real SSL certificate, thus providing the attacker with an additional element of reassurance.
The real attack then occurs by sending attention e-mails for the hacked account, where a password change is requested.
The victim clicking on the link accesses the bogus site to enter the credentials, credentials that obviously are automatically forwarded to the original site that provided to:
- request for the token code.
- sending the OTP victim to the phone.
An identical attack was also carried out on Google and Yahoo accounts, in this case a painstaking work of social engineering preparation was carried out which involved sharing and collaborating on documents in Google Docs in order to steal the user's trust.
Considerations on the security of access to two factors
Obviously, an attack like this is not trivial, the attacker has carefully chosen the target, has prepared the infrastructure in such a way as to minimize suspicion on the part of the attacked, (probably it was a group and not just a person).
This infrastructure is complex and provides the ability to record and use data that often have a life time of no more than 30 seconds.
That the attack was successful does not mean that the two-factor authentication scheme is invalid or should be abandoned. Its level of security is incomparable compared to the classic use of the password alone. It is important to evaluate how the element of habit and the sense of human security are always crucial elements.
ANTI PHISHING TIPS AND TIPS
Even authentication systems that are considered secure can have weaknesses that can be exploited by an attacker to bypass the system itself.
To avoid falling into the network, I recommend never letting your guard down, thinking that computer systems will protect you from any risk.
If you receive a strange email, for example from your bank where you are asked for your login credentials, contact your bank immediately by phone to ask for clarification.
Change your passwords immediately and immediately start an antivirus scan on your PC / device.
As always, make good use of it by testing your device / computer, doing them on devices / computers not yours is illegal.
To the next article.
I do not take any responsibility for the use you will make of the guide, as it is drawn up for educational and training use.
Comments
Post a Comment
If you guys have any issue just let me know