croom new

S I M Technology Blog

With Phishing Attacks Beating 2FA, You Need to Be Able to Spot Them

With Phishing Attacks Beating 2FA, You Need to Be Able to Spot Them

Unfortunately, one of the most effective defenses against phishing attacks has suddenly become a lot less dependable. This means that you and your users must be ready to catch these attempts instead. Here, we’ll review a few new attacks that can be included in a phishing attempt, and how you and your users can better identify them for yourselves.

How Has Two-Factor Authentication (2FA) Been Defeated?

There are a few different methods that have been leveraged to bypass the security benefits that 2FA is supposed to provide.

On a very basic level, some phishing attacks have been successful in convincing the user to hand over their credentials and the 2FA code that is generated when a login attempt is made. According to Amnesty International, one group of hackers has been sending out phishing emails that link the recipient to a convincing, yet fake, page to reset their Google password. In some cases, fake emails like this can look very convincing, which makes this scheme that much more effective.

As Amnesty International investigated these attacks, they discovered that the attacks were also leveraging automation to automatically launch Chrome and submit whatever the user entered on their end. This means that the 30-second time limit on 2FA credentials was of no concern.

In November 2018, an application on a third-party app store disguised as an Android battery utility tool was discovered to actually be a means of stealing funds from a user’s PayPal account. To do so, this application would alter the device’s Accessibility settings to enable the accessibility overlay feature. Once this was in place, the user’s clicks could be mimicked, allowing an attacker to send funds to their own PayPal account.

Another means of attack was actually shared publicly by Piotr Duszyński, a Polish security researcher. His method, named Modlishka, creates a reverse proxy that intercepts and records credentials as the user attempts to input them into the impersonated website. Modlishka then sends the credentials to the real website, concealing its theft of the user’s credentials. Worse, if the person leveraging Modlishka is present, they can steal 2FA credentials and quickly leverage them for themselves.

How to Protect Yourself Against 2FA Phishing

First and foremost, while it isn’t an impenetrable method, you don’t want to pass up on 2FA completely, although some methods of 2FA are becoming much more preferable than others. At the moment, the safest form of 2FA is to utilize hardware tokens with U2F protocol.

Even more importantly, you need your entire team to be able to identify the signs of a phishing attempt. While attacks like these can make it more challenging, a little bit of diligence can assist greatly in preventing them.

When all is said and done, 2FA fishing is just like regular phishing… there’s just the extra step of replicating the need for a second authentication factor. Therefore, a few general best practices for avoiding any misleading and malicious website should do.

First of  all, you need to double-check and make sure you’re actually on the website you wanted to visit. For instance, if you’re trying to access your Google account, the login url won’t be www - logintogoogle - dot com. Website spoofing is a very real way that (as evidenced above) attackers will try to fool users into handing over credentials.

There are many other signs that a website, or an email, may be an attempt to phish you. Google has actually put together a very educational online activity on one of the many websites owned by Alphabet, Inc. Put your phishing identification skills to the test by visiting, and encourage the rest of your staff to do the same!

For more best practices, security alerts, and tips, make sure you subscribe to our blog, and if you have any other questions, feel free to reach out to our team by calling (845) 208-0453.

Tip of the Week: Match Word to Your Style
Analytics Can Fool You


No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Tuesday, April 23 2019

Captcha Image

Mobile? Grab this Article!

Qr Code

Tag Cloud

Tip of the Week Security Best Practices Technology Email Privacy Cloud Productivity Internet Malware Business Computing Business Hosted Solutions Data Hackers Tech Term Network Security Software Computer IT Services Microsoft Ransomware Cloud Computing Google IT Support Efficiency Mobile Devices Android Hardware Data Backup Backup Encryption Small Business Windows Server Phishing User Tips Innovation Data Recovery Data Management Smartphone Business Management Windows 10 Browser Upgrade Outsourced IT Artificial Intelligence Passwords Managed IT Services Internet of Things Smartphones Communication Alert Business Continuity Vulnerability Workplace Tips Paperless Office Windows 10 Gmail communications Cybersecurity Managed IT Services Collaboration App Chrome Saving Money Remote Monitoring Website VoIP Productivity Office 365 IT Management Government Holiday Quick Tips Network Facebook Scam Tip of the week Employer-Employee Relationship Antivirus Managed Service Social Media IT Support Infrastructure Bandwidth Mobile Device Robot Business Technology Bring Your Own Device Blockchain Money Data storage Big Data Save Money Tablet Managed Service Provider Applications Automation BYOD Maintenance Two-factor Authentication Storage Analytics BDR Wi-Fi Settings Information Document Management Microsoft Office Healthcare Customer Service Apple Disaster Recovery VPN Risk Management Office HIPAA Network Management Router Social How To Vendor Management Virtual Private Network LiFi Monitors Data loss Apps Firewall Server Management Miscellaneous Downtime Machine Learning Management Content Filtering Compliance Unified Threat Management End of Support Virtual Reality Operating System Customer Relationship Management Word Mouse Office Tips Outlook Politics Patch Management SaaS Google Drive Users Mobile Security WiFi Unified Communications Spam Networking Wireless YouTube Administration Access Control Hosted Solution Telephone Systems Computing Data Security Servers Legislation Smart Tech Electronic Health Records Transportation Language Vulnerabilities G Suite Permission Legal IT solutions SharePoint Consulting Wasting Time Humor Licensing eWaste Disaster Authorization Education Remote Computing Typing Security Cameras Managed IT Distributed Denial of Service Assessment Favorites Virtual Desktop Chromebook Techology OneNote Social Engineering Comparison Connectivity Files Current Events Electronic Medical Records Lenovo Computing Infrastructure Development Best Practice Test Touchscreen Downloads Modem Managed Services Provider Firefox Database Mail Merge Permissions Cooperation Uninterrupted Power Supply Employees Budget Running Cable Employee-Employer Relationship Cryptocurrency Digital ROI Shortcut Managed IT Service Internet Exlporer Information Technology Unified Threat Management Safety Statistics Specifications The Internet of Things Read Only IT service Going Green Marketing Automobile Superfish IT Technicians Cables RMM Cookies E-Commerce Digital Payment Hacks Voice over Internet Protocol Gadgets Address Fraud Staff Company Culture Remote Monitoring and Management Regulations Remote Workers Bitcoin Spyware Notes Break Fix Hard Drive Instant Messaging Network Congestion VoIP User Error Halloween Bluetooth Black Friday IoT Printing Mirgation Wires Business Growth IBM Tech Terms Samsung Multi-Factor Security Nanotechnology Features Password Net Neutrality Dark Data Private Cloud Augmented Reality Managing Stress Solid State Drive Zero-Day Threat Laptop Writing Avoiding Downtime Printer Social Networking Windows 8 PowerPoint Tech Support Dark Web Cache Cabling Finance Google Wallet Computers Scary Stories Cyber Monday Star Wars File Sharing Help Desk Google Maps Chatbots Computer Care Hacker Corporate Profile Theft Google Docs Retail Heating/Cooling Google Calendar Screen Reader Mobile Device Management Windows 7 Emergency Hotspot Wearable Technology Enterprise Content Management Deep Learning Hard Disk Drive Human Error Time Management Motherboard Monitoring Identity Theft CrashOverride Professional Services Buisness Websites Microsoft Excel Alerts Recycling Point of Sale Authentication Drones Display Twitter Financial Sports Smart Technology Cost Management Bookmarks Recovery Identity Training Alt Codes WannaCry Crowdsourcing Mobile Computing Health Supercomputer Botnet Staffing Motion Sickness Administrator Students Taxes IT Budget Physical Security Web Server Processors GPS Upgrades Emoji Teamwork IT Consultant Personal Information Relocation Cameras Tracking 3D Printing Meetings Cybercrime Cortana Work/Life Balance Printers Shared resources Cleaning CCTV Unsupported Software Webcam Virtualization Law Enforcement Update Notifications Computer Repair Error Mobile Data How To Gadget Travel Regulation

Latest Blog Entry

Modern businesses have a lot more room for flexibility than in the past, particularly in regard to meetings. With the inception of conferencing solutions, organizations have access to more dynamic tools to make the most of their meetings. Determining the best one for you, th...

Latest News

S I M Technology launches new website!

S I M Technology is proud to announce the launch of our new website at The goal of the new website is to make it easier for our existing clients to submit and manage support requests, and provide more information about our services for prospective clients.

Read more ...