We all know that two-factor authentication (2FA) is much better than just simple user/password credentials. However, there is a nasty spoofing trick that bypasses 2FA if the user does not pay attention. Warn your users that have 2FA-enabled accounts against this, which are usually key people with access to sensitive information.
- Using creds from the massive databases with tens of millions of credentials that have surfaced the last few weeks -- notably from LinkedIn, My Space and Twitter, or
- Sending a phishing email with a malicious attachment which installs a keylogger on the box and sends the credentials back to the hacker.
Once they have the creds, here's the 4 steps how this scam goes down:
- The attacker sends the target a text message, spoofing the company that the target has an account with. The text states they have detected "suspicious" activity to the account, and so are sending the 2FA code to the target, which they should then text back to them to avoid having their account locked.
- The attacker logs into the account with the known credentials, which prompts the 2FA code to be sent to the target.
- The (worried) target tries to prevent a negative consequence and texts the code back to the attacker, but by doing that they give the hacker just the thing they needed to break into the account.
- The hacker now enters the victim's 2FA code, and they're in. The French would say: "Simple comme Bonjour".
So, I would send an email to your employees, friends and family who have any of their accounts protected with 2FA. Feel free to copy/paste/edit:
"There is a new scam you need to watch out for if you log into your accounts and have to wait for a text message on your phone to enter and only then log in. This more secure system is called "2-factor authentication". These two factors are:
- one thing you need to know -- your password
- one thing you have to have -- the text code on your phone
Now, criminal hackers are trying to get past this with a nasty trick you need to watch out for. Tens of millions of hacked user names and passwords have recently surfaced -- yours may be one of them -- and they are using these for this scam.
They send you a fake (spoofed) text that looks like it's from the company you have an account with, claiming that your account may be hacked or that there is suspicious activity happening.
In the same text they say they will send you your verification code and that you need to send that right back to them or your account gets closed. But if you text that verification code back, you have given the hacker just the thing they needed to hack into your account!
TIP TO STAY SAFE
If your accounts are protected by 2-factor authentication, the only time you will be sent the code is to verify an attempt to log into your account. That means if you did not just try to log in and you suddenly receive a verification code through a text message to your smartphone, it is because a scammer who already has your user name and password is trying to hack into your account.
Never provide your verification code to anyone. Only use it to input the code into your smartphone or computer when you log into a 2-factor authentication protected account. And as a reminder, never give out personal information, such as your Social Security number or credit card numbers in response to a text message (or email) because you simply cannot know for sure who is really on the other end of that communication line.
With data leaks happening more and more it is crucial that you use strong, unique passwords across all your accounts. If your data is in the hands of criminals you want them to have as little access as possible.
Remember, Think Before You Click!"
I would send this right away to people in Accounting, HR, Legal, and C-level execs that have 2FA accounts set up for them.
Let's stay safe out there.
Warm regards,
Stu
12 Ways to Defeat Multi-Factor Authentication
On-Demand Webinar
Roger A. Grimes, KnowBe4's Data-Driven Defense Evangelist, will explore 12 ways hackers use social engineering to trick your users into revealing sensitive data or enabling malicious code to run. Plus, he'll share a (pre-filmed) hacking demo by KnowBe4's Chief Hacking Officer, Kevin Mitnick.
PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser: