Get Started Today!  321-259-5500

croom new

With Phishing Attacks Beating 2FA, You Need to Be Able to Spot Them


Unfortunately, one of the most effective defenses against phishing attacks has suddenly become a lot less dependable. This means that you and your users must be ready to catch these attempts instead. Here, we’ll review a few new attacks that can be included in a phishing attempt, and how you and your users can better identify them for yourselves.

How Has Two-Factor Authentication (2FA) Been Defeated?

There are a few different methods that have been leveraged to bypass the security benefits that 2FA is supposed to provide.

On a very basic level, some phishing attacks have been successful in convincing the user to hand over their credentials and the 2FA code that is generated when a login attempt is made. According to Amnesty International, one group of hackers has been sending out phishing emails that link the recipient to a convincing, yet fake, page to reset their Google password. In some cases, fake emails like this can look very convincing, which makes this scheme that much more effective.

As Amnesty International investigated these attacks, they discovered that the attacks were also leveraging automation to automatically launch Chrome and submit whatever the user entered on their end. This means that the 30-second time limit on 2FA credentials was of no concern.

In November 2018, an application on a third-party app store disguised as an Android battery utility tool was discovered to actually be a means of stealing funds from a user’s PayPal account. To do so, this application would alter the device’s Accessibility settings to enable the accessibility overlay feature. Once this was in place, the user’s clicks could be mimicked, allowing an attacker to send funds to their own PayPal account.

Another means of attack was actually shared publicly by Piotr Duszyński, a Polish security researcher. His method, named Modlishka, creates a reverse proxy that intercepts and records credentials as the user attempts to input them into the impersonated website. Modlishka then sends the credentials to the real website, concealing its theft of the user’s credentials. Worse, if the person leveraging Modlishka is present, they can steal 2FA credentials and quickly leverage them for themselves.

How to Protect Yourself Against 2FA Phishing

First and foremost, while it isn’t an impenetrable method, you don’t want to pass up on 2FA completely, although some methods of 2FA are becoming much more preferable than others. At the moment, the safest form of 2FA is to utilize hardware tokens with U2F protocol.

Even more importantly, you need your entire team to be able to identify the signs of a phishing attempt. While attacks like these can make it more challenging, a little bit of diligence can assist greatly in preventing them.

When all is said and done, 2FA fishing is just like regular phishing… there’s just the extra step of replicating the need for a second authentication factor. Therefore, a few general best practices for avoiding any misleading and malicious website should do.

First of  all, you need to double-check and make sure you’re actually on the website you wanted to visit. For instance, if you’re trying to access your Google account, the login url won’t be www - logintogoogle - dot com. Website spoofing is a very real way that (as evidenced above) attackers will try to fool users into handing over credentials.

There are many other signs that a website, or an email, may be an attempt to phish you. Google has actually put together a very educational online activity on one of the many websites owned by Alphabet, Inc. Put your phishing identification skills to the test by visiting, and encourage the rest of your staff to do the same!

For more best practices, security alerts, and tips, make sure you subscribe to our blog, and if you have any other questions, feel free to reach out to our team by calling 321-259-5500.

Tip of the Week: Match Word to Your Style
Analytics Can Fool You


No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Friday, April 19 2019
If you'd like to register, please fill in the username, password and name fields.

Captcha Image

Our 10 Benefits Whitepaper
See The Value of Managed IT Services!
Download our simple 10 Benefits of Managed IT Services Whitepaper.

Download Now!


Free Network Consultation
Sign up today for a FREE Network Consultation
How secure is your IT infrastructure?  Free Evaluation!

Sign Up!

Newsletter Sign Up

  • Company Name
  • First Name *
  • Last Name *

      Mobile? Grab this Article!

      Qr Code

      Tag Cloud

      Security Tip of the Week Technology Best Practices Cloud Privacy Hackers Malware Business Business Computing Internet Email Hosted Solutions IT Services Productivity Data Computer Network Security Backup Mobile Devices Productivity Hardware Microsoft Software Google Managed Service Provider Workplace Tips User Tips Ransomware Efficiency Windows 10 Tech Term Smartphone Android Business Continuity Server Innovation Disaster Recovery Small Business Cloud Computing Communication Social Media Business Management Smartphones Upgrade Encryption IT Support Data Management IT Support Phishing App Managed IT Services Browser Network Data Backup Windows Artificial Intelligence Office 365 BYOD Facebook Data Recovery Outsourced IT Windows 10 Big Data Apps Internet of Things Passwords Employer-Employee Relationship Paperless Office Gmail Office Managed IT Services WiFi Microsoft Office Save Money Holiday Remote Monitoring Government Hosted Solution Mobile Device Management VoIP Vendor Management Collaboration Risk Management Two-factor Authentication Miscellaneous Chrome Office Tips Spam Firewall Wireless Technology Alert Cybersecurity communications Recovery Wireless Robot Saving Money Wi-Fi Vulnerability VPN Quick Tips Social Infrastructure How To Tip of the week Money Antivirus Password Word Settings Virtualization Budget Work/Life Balance Avoiding Downtime Managed Service Scam Analytics IT solutions Website Automation Hacker Document Management Customer Service IT Management Content Filtering Bandwidth Apple Going Green Hard Drives Business Technology Politics Legal Education SaaS Maintenance Bring Your Own Device Tech Support Mobile Device Twitter Cybercrime The Internet of Things Computing Blockchain Storage Information Downtime Unified Threat Management Remote Computing Machine Learning Healthcare Customer Relationship Management Compliance Tablet IT service Applications BDR Data storage Virtual Reality Data Security Best Practice Identity Theft eWaste Computers Solid State Drive Running Cable Training User Error Private Cloud Search File Sharing LiFi Mobile Security End of Support G Suite Sports Virtual Private Network Outlook Management Heating/Cooling Health Point of Sale Printing Taxes Upgrades Websites Telephone Systems Administration Safety Mouse Operating System Electronic Medical Records Presentation Physical Security How To Botnet Augmented Reality Router Automobile Chromebook IBM Server Management Net Neutrality Google Drive Monitors Virtual Desktop Network Management Cost Management Lithium-ion battery Hacking Cortana Business Owner Access Control HIPAA Patch Management Data loss Samsung YouTube Competition Users Networking Computer Care Unified Communications User Business Intelligence Regulations Licensing Writing Notifications IP Address OneNote Notes Drones Voice over Internet Protocol Bluetooth Managed IT Service Computer Repair Undo Star Wars Instant Messaging Webcam Mobile Computing Development Tech Terms Specifications Social Networking Nanotechnology Files Knowledge Black Market Spyware Bitcoin Downloads IT Technicians 5G Managed Services Provider Google Maps Online Public Speaking Zero-Day Threat Techology Cooperation Retail Crowdsourcing Mobile Office Employee-Employer Relationship PowerPoint Supercomputer Windows 7 Environment Break Fix Assessment Finance Cables Theft Staffing VoIP Black Friday Refrigeration Screen Reader Read Only Travel Disaster Experience Lenovo Hotspot Network Congestion Windows 8 Multi-Factor Security Mirgation Motherboard E-Commerce Error Mail Merge Microsoft Excel Humor Update Company Culture Human Error Analyitcs Unified Threat Management Staff Social Engineering Remote Workers Professional Services IT Budget Servers Dark Web Internet Exlporer Authentication Web Server Corporate Profile Business Growth Display Processors Wires Financial GPS Time Management Cyber Monday Smart Tech Printers Motion Sickness Uninterrupted Power Supply Deep Learning iPhone Superfish Language Permission IT Consultant Buisness Hacks Google Calendar Chatbots 3D Printing Features Hiring/Firing Address Managing Stress Marketing Printer Wearable Technology Wasting Time Digital Payment Co-managed IT Save Time Troubleshooting Shortcut Managed IT Hard Drive Authorization Cameras WannaCry Laptop Alt Codes Security Cameras Tracking Information Technology Smart Technology Connectivity Bookmarks Hard Disk Drive Gadgets Computing Infrastructure Enterprise Content Management Test Cleaning Firefox Trending Legislation Identity Unsupported Software Application Fun Modem Administrator Permissions Dark Data Emoji Halloween Typing Law Enforcement Monitoring FCC Google Docs Help Desk Cache Employees CCTV Alerts ROI Touchscreen Google Wallet Database Entrepreneur Statistics Distributed Denial of Service Backups Personal Information IoT Favorites Meetings Identities Vulnerabilities RMM CIO Current Events Comparison Mobile Data Relocation Cookies Electronic Health Records Cabling Fraud Scary Stories Cryptocurrency SharePoint Gadget Law Consulting Title II Recycling Remote Monitoring and Management Digital Flexibility CrashOverride Students Teamwork Shared resources Regulation Emergency USB Domains

      Latest Blog Entry

      If your business is one that depends on transportation, you know that coordination is extremely important. With consumers’ reliance on a company’s distribution arm, today’s companies are turning old practices on their heads and utilizing a more technology-driven approach to ...

      Account Login