Cyber Security Articles & News

Phishing Attack Bypasses Two-Factor Authentication

Hacker Kevin Mitnick demonstrates a phishing attack designed to abuse multi-factor authentication and take over targets' accounts.

Businesses and consumers around the world are encouraged to adopt two-factor authentication as a means of strengthening login security. But 2FA isn't ironclad: attackers are finding ways to circumvent the common best practice. In this case, they use social engineering.

A new exploit, demonstrated by KnowBe4 chief hacking officer Kevin Mitnick, lets threat actors access target accounts with a phishing attack. The tool to do this was originally developed by white hat hacker Kuba Gretzky, who dubbed it evilginx and explains it in a technical blog post.

It starts with typosquatting, a practice in which hackers create malicious URLs designed to look similar to websites people know. Mitnick starts his demo by opening a fake email from LinkedIn and points out its origin is "llnked.com" - a misspelling people will likely overlook.

Those who fall for the trick and click the email's malicious link are redirected to a login page where they enter their username, password, and eventually an authentication code sent to their mobile device. Meanwhile, the attacker can see a separate window where the victim's username, password, and a different six-digit code are displayed.

"This is not the actual 6-digit code that was intercepted, because you can't use the 6-digit code again," Mitnick says in the demo. "What we were able to do was intercept the session cookie."

Read the whole cool article at the source.

Source: DARKReading

Topics: Social Engineering, session Cookie intercept, Stu Sjouwerman, fake email, typosquatting, @FA, Hacker, keynote speaker, KnowBe4, LinkedIn, malicious URL, two-factor authentication bypass, phishing attack, Kevin Mitnick, Kuba Gretzky, multi-factor authentication

Latest Posts

Kevin offers three excellent presentations, two are based on his best-selling books. His presentations are akin to technology magic shows that educate and inform while keeping people on the edge of their seats. He offers expert commentary on issues related to information security and increases “security awareness.”

6 Types of Social Engineering Attacks

Social engineering attacks account for a massive portion of all cyber attacks, and studies show that these attacks are on the rise. According to KnowB..

Read more ›

Decoding Pentesting Report Lingo: The Ultimate Glossary

You know that penetration tests are important to run— and that more and more companies are integrating them into their annual cybersecurity initiative..

Read more ›

What is Multi-Factor Authentication & How Does it Work?

It seems that everything we use these days requires a password. From email and social media accounts to everything in between, we always need a passwo..

Read more ›
tech-texture-bg