Countering Modern Phishing Attacks With Strong 2FA
No one wants to find out the hard way that they have fallen for a phishing scam. There is no shortage of characters on the internet that are more than happy to separate you from your hard-earned money or even worse. They could potentially steal your house right from under you. No one ever thinks it will happen to them but, time and again it appears that empirical evidence points to the contrary. Over time, phishing attacks have evolved to the point where there are now full-fledged tool suites that are available for testers…and attackers alike.
Modlishka and SMS-Based 2FA
The latest iteration is the Modlishka phishing tool, which provides the attacker a simple tool to use a reverse proxy to place the attacker between the user and the target site. The user’s traffic passes through the tool and can capture SMS-based 2FA tokens. Assuming the attacker acts within the allotted time, they could possibly gain access to the victim’s accounts. But for this to work, the attacker would need to be watching at the right time and have valid TLS certificates configured. There are moving parts that need to be in place for this to be a successful attack.
This begs the question: how do we avoid getting phished in the first place?
The State of Phishing
First off, what is phishing? For the uninitiated, it is the practice of sending emails and text messages that are made to appear as if they are originating from a legitimate and reputable company. The idea behind the attacker’s motivation is to convince the recipient to click on a link that may lead to passwords being purloined, credit card numbers being stolen or even malicious code being installed on the victim’s system or device.
To illustrate the prevalence of phishing, let’s look at some data from our free Duo Insight tool. Based on 7,500 phishing simulation campaigns Duo has conducted in the past two years on more than 400,000 recipients, 39 percent of recipients opened the phishing email and 20 percent of recipients clicked the link, making them susceptible to having malware or ransomware installed on their device. Ten percent of recipients entered credentials. All told, 60 percent of phishing campaigns were successful in capturing at least one person’s login credentials.
Tips to Avoid Being Phished
So, how does one avoid this sort of attack? Straight away the first thing to keep in mind is to maintain a healthy paranoia. This is not to say you should wrap your head in tinfoil and be overly concerned about the van on the street that has been delivering flowers from “Flowers By Irene” for the last several days. No, that would be a bridge too far. What is more salient to the discussion is to have a filter in your brain that says “Hold on a tick. Do I really want / need to click that link?” It’s OK to pause for a moment and run that logic through your mind.
A second thing to keep in mind is to make sure that your system software is up to date. This can help the average Internet denizen avoid having to contend with a lot of the security issues that haunt people online. Case in point, I set my parents’ computer to auto update and the number of “help desk” calls have dropped precipitously. You can also make sure that your web browser is the latest and greatest to help reduce the risk of an attack.
When you’re using a website that you are conducting business with, check to see if they offer a two-factor authentication (2FA) option. Static passwords in their own right are hobgoblin that plagues us. Attackers understand human nature well enough that when they compromise a website they will take the pilfered credentials and test them against other websites. The rationale here is that people will reuse passwords on multiple sites.
A way to combat this behavior is to use a password manager. There are multiple options out there such as 1Password, Lastpass, Dashlane and so forth. All of these will go a long way to helping change user behavior. If we can help people to help themselves this would help improve the security posture for many online today.
Apply common sense wherever it is possible to do so. What are the odds that you have a long lost uncle in Nigeria who has found you and is yearning to give you millions? You laugh but it happens. Don’t give out your personal information unless absolutely necessary. If you’re unsure about a website you’re using, don’t hesitate to call said company and ask if this is in fact their website and validate that they need the personal information.
Defense in Depth
Modlishka is the latest tool that has allegedly been used to bypass certain forms of 2FA, and represents the continuing evolution of phishing threats organizations and users face. It serves to highlight the importance of not only implementing the strongest forms of 2FA, such as mobile push-based 2FA and U2F security keys, but to complement and enforce additional device requirements and security policies, which can ensure only corporate-owned and managed devices can access data and applications.
Duo is committed to the development of unphishable 2FA protocols as part of the W3C WebAuthn working group, which strengthen authentication and trusted access.
Duo recommends using the strongest forms of 2FA to defend against credential theft, making users less attractive targets. We also give our customers the choice of safer authentication methods, such as mobile push-based 2FA and U2F security keys, which reduces the risk of credential theft and phishing.
At the same time, organizations can enforce additional device requirements for additional security, which can make sure a device is corporate-owned and managed when it accesses applications.