Recently, security experts have shared warnings about a new type of hack that bypasses two-factor authentication (2FA). It is important to note, however, that 2FA is still recommended as a very effective cybersafety practice to help protect internet users against attacks.

In order to learn more about how this threat occurs and what you can do about it, NCSA spoke with Tonia Dudley, Director, Security Solution Advisor at Cofense and NCSA board member.

1. Hackers have recently a created a new, automated phishing attack which basically cuts through additional layers of security, like 2FA. What exactly is it? How does it work?
   Technically, it’s been possible to proxy passwords and PIN codes for certain implementations of 2FA ever since the inception of the technologies. The renewed interest in this attack is because two new tools, namely Muraena and NecroBrowser, that make the hack much easier to pull off.The attacker configures these tools to host a phishing site, lure the victim to the site, and if successful, relay the stolen username, password and 2FA code to access the site or service as the victim.

2. What does this mean for internet users – both at home and at work?
   All the conventional anti-phishing advice still applies. First and foremost: be vigilant and aware of common phishing emails. Even though the tooling of the attackers adapts, their phishing lure stories are still reusing the same tired themes. Someone logged into your account? Overdue Invoice? Package Delivery? Someone Sent you a voicemail?  Over-the-top sense of Urgency?If it sounds Phishy, Don’t Click the Link! This goes for both your personal and work email accounts.You received an email from Dropbox saying someone logged into your account? Inspect the link before you click it. Better yet, don’t click it. Open a browser window or tab and go to https://dropbox.com on your own. This method should always be used if you received this type of email out of the blue, especially for your bank account! These days, financial institutions will often send you a message to log into your account – without giving you a link – directing you to go to their website and see your secure messages within their platform.No matter what type of message you receive – email, social media message or text – the advice is still the same: don’t click and definitely don’t log in to the site.

3. How does this new type of attack increase the threat level to small businesses?
   The same anti-phishing advice applies to businesses as it does individuals. Apart from that, attacks like this are worrisome because a small business that has not rolled out multifactor authentication (MFA) will not read beyond the headline “Hackers defeat 2FA” and walk away thinking “Why bother implementing 2FA in the first place?” It must be emphasized that not all implementations of MFA are created equal and not all are defeated by this threat. Businesses have the options of using push based MFA or via a physical device such as a key or token.

4. What can be done to educate users to be vigilant? What do users need to look for?
   Awareness education fills the void when a technical control does not exist or is chronically fallible.All of the conventional anti-phishing advice still applies, with being vigilant and aware of common phishing emails at the top of the list. Even though the attacker’s approach and tools adapt, their phishing lure stories are still reusing the same tired themes.

5. Since Cofense enables companies to harness the power of their people to discover and respond to phishing attacks, what additional advice can you share to combat this new threat?
   If you can make your organization more resilient to phishing attacks, some will fall prey, but more will report active attacks in progress. For instance, our energy customers have a resiliency score of 5 to 1. That means for every one human that clicks a phish link or attachment, five others reported it. That is real actionable intelligence that security operations teams can use to stop breaches. Harnessing the power of your vigilant workforce is the only way to sideline a phish in progress. This isn’t theoretical. Our customers are stopping the very same threat actors called out in The Mueller Report.

6. What does this new type of phishing attack mean for the future of account security and authentication?
   As mentioned, these techniques have been known for quite some time. Unfortunately, it sometimes takes an increase in actual exploitation to catalyze adoption of new standards. We should also mention, just because these tools exist, doesn’t mean organizations or individuals shouldn’t use multifactor for their accounts. When threat actors see that an organization has multifactor enabled, they move on to one that doesn’t.

Author Bio

Tonia Dudley is Director, Security Solution Advisor at Cofense and NCSA board member. In this role, she focuses on phishing defense advocacy while demonstrating how Cofense solutions help organizations across the globe minimize the impact of attacks while reducing the cost of operations.