Iranian Hacker Group Beats 2FA with New Phishing Campaign Targeting Google Users



staged-phishing-link

A new phishing attack method shows that even the mighty two-factor authentication can be beaten without needing to possess a user’s mobile device.

We’d like to think that using Multi-Factor Authentication (MFA) surrounds the logon process with such a high level of security that it can’t be broken. But a recent phishing attack shows that simple mix of social engineering and quick backend hacking can successfully work around the most basic of MFA – two-factor, SMS one-time password (OTP) authentication.

Researchers at Certfa Labs recently identified the attack scheme created by the cybercriminal group Charming Kitten who was responsible for the hacking of HBO back in 2017). The phishing attack uses the Google’s Site Service (which uses the subdomain sites.google.com) to establish credibility and to deceive their potential victims.

Users are initially phished with either fake notifications of unauthorized access, or via bogus file sharing on Google Drive. In either case, the focus is to have the victim thinking they need to interact with Google. Doing so makes the stretch to requiring authentication, and then requiring the second factor, pretty reasonable.

Pages made to look like both Google authentication, as well as emails designed to invoke the use of 2FA to validate the user (shown below) are used in a contextually timely fashion to trick users to believe they are interacting with Google’s 2FA.

The bad guys are getting better and craftier at their art every day. Attacks like these would fool even the savviest of users. What organizations need to fend off attacks like this is a security-minded user who is constantly on-guard – even when the systems they interact with seem legitimate.

Security Awareness Training would teach users about the potential red flags that exist even in this very slick campaign – The initial phish involves files on a Google Drive, or a notification of improper access. It’s at this point that users should be scrutinizing the emails, questioning their legitimacy. Did they request a file from the sender? Does the access notification from Google look completely legitimate? Having a default mindset of asking questions when anything out of the ordinary comes in is one of the byproducts of users who continually go through Security Awareness Training.

 


Can Your MFA Solution Be Hacked?

48% of cybersecurity breaches are NOT preventable by strong multi-factor authentication. While MFA can decrease your cybersecurity risk, all MFA mechanisms can be hacked. KnowBe4’s Multi-Factor Authentication Security Assessment (MASA)  is a complimentary IT security tool that helps you gauge your organization's MFA security readiness and identifies your specific risks so you can better defend against MFA hacks.

mfa-security-assessment-reportHere's how MASA works:

  •  You will receive a custom link to take your assessment 
  • Answer a series of technology questions relevant to your MFA solution 
  • Get an instant high-level snapshot of potential risks with your MFA
  • Receive your in-depth report packed with actionable insight and detailed analysis on specific MFA attacks and tips for your top defenses 

 

Find out how hackable your MFA is now so you can take action to better protect your users and organization!!


Assess My MFA Solution Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

https://www.knowbe4.com/multi-factor-authentication-security-assessment

Subscribe To Our Blog


Ransomware Hostage Rescue Manual




Get the latest about social engineering

Subscribe to CyberheistNews