Cyber Security Articles & News

Hacker Kevin Mitnick shows how to bypass 2FA

A new exploit allows hackers to spoof two-factor authentication requests by sending a user to a fake login page and then stealing the username, password, and session cookie.

KnowBe4  Chief Hacking Officer Kevin Mitnick showed the hack in a public video. By convincing a victim to visit a typo-squatting domain liked “LunkedIn.com” and capturing the login, password, and authentication code, the hacker can pass the credentials to the actual site and capture the session cookie. Once this is done the hacker can login indefinitely. This essentially uses the one time 2FA code as a way to spoof a login and grab data.

“A white hat hacker friend of Kevin’s developed a tool to bypass two-factor authentication using social engineering tactics – and it can be weaponized for any site,” said Stu Sjouwerman, KnowBe4 CEO. “Two-factor authentication is intended to be an extra layer of security, but in this instance, we clearly see that you can’t rely on it alone to protect your organization.”

White hat hacker Kuba Gretzky created the system, called evilginx, and describes its implementation in a wonderfully thorough post on his site.

Sjouwerman notes that anti-phishing education is deeply important and that a hack like this is impossible to complete if the victim is savvy about security and the dangers of clicking links that come into your email box. To demonstrate this, Sjouwerman sent me an email seemingly addressed to me from Matt Burns talking about a typo in a post. When I clicked on it I was transferred to a SendGrid  redirect site and dumped into TechCrunch – but the payload could have been more nefarious.

For this cool article and other great tech news to chew on visit the source.

Source: TechCrunch

Topics: session cookie capture, Stu Sjouwerman, typo-squatting, evilginx, fake login page, Two-Factor Authentication, hackers, keynote speaker, KnowBe4, username theft, anti-phishing education, 2FA code, password theft, Kevin Mitnick, Kuba Gretzky

Latest Posts

Kevin offers three excellent presentations, two are based on his best-selling books. His presentations are akin to technology magic shows that educate and inform while keeping people on the edge of their seats. He offers expert commentary on issues related to information security and increases “security awareness.”

6 Types of Social Engineering Attacks

Social engineering attacks account for a massive portion of all cyber attacks, and studies show that these attacks are on the rise. According to KnowB..

Read more ›

Decoding Pentesting Report Lingo: The Ultimate Glossary

You know that penetration tests are important to run— and that more and more companies are integrating them into their annual cybersecurity initiative..

Read more ›

What is Multi-Factor Authentication & How Does it Work?

It seems that everything we use these days requires a password. From email and social media accounts to everything in between, we always need a passwo..

Read more ›
tech-texture-bg