Email Security Blog

Preventing Phishing Attacks:  The Dangers of Two-Factor Authentication

Ramon Peypoch June 8, 2020 Account Takeover, Phishing

Are you protecting your remote workers against an endless barrage of COVID-19 related phishing attacks by requiring 2-factor authentication (2FA) to log into employee email accounts? Smart move—just don’t let it give you a false sense of security. 

With more than 75 million employees working from home due to the pandemic, the attack surface for cybercriminals and a growing number of state-sponsored threat actors has expanded exponentially. Malicious links and attachments are far from the only tricks email assailants have up their sleeves. 

Since the start of the year, there has been a staggering increase in credential harvesting campaigns aiming to pilfer employee login credentials to Microsoft Office 365, Gmail and other popular cloud email platforms and services, including OneDrive, Sway, Teams, and more. Sixty-five percent of these assaults involved Google’s file sharing and storage sites, according to TechRepublic. 

The wide availability of phishing attack kits for setting up bogus login pages, and more recently phishing-as-a-service rackets, combined with anxious employees who are more dependent than ever on email and cloud-connected collaboration tools, makes for a particularly combustible mix. 

When cybersecurity experts are asked about the best ways to curb these attacks their remedies almost always include 2FA. And to be clear, it’s solid advice: 2FA plays an important role in login security for many businesses. But it’s not even remotely sufficient on its own. 

In fact, the widespread perception that 2FA is the ultimate, failsafe security measure could be increasing your exposure to risk instead of reducing it.  

2FA and the ATO Arms Race

How could this be possible? Isn’t 2FA a powerful antidote to account takeover (ATO) attacks? The answer that comes to mind is absolutely, positively yes-ish, at least as long as it’s part of a multi-layered approach to security.  

By requiring two forms of identity proof–in this case, “something you know” (your password) and “something you have” (typically a one-time passcode sent to your mobile device)—2FA makes it much, much harder for hackers armed with stolen login credentials to hijack your account. 

Yet even as 2FA has seen explosive growth in recent years, so has the number of successful account takeover attacks. According to Verizon’s 2020 Data Breach Investigations Report, nearly 40% of all data breaches involve stolen credentials.   

With our heightened dependence on collaboration tools such as Slack, Teams, Zoom, GSuite and so forth, a successful email ATO grants infiltrators a launching point within an organization’s own systems. Such attacks jumped 43% in the past year, a two-fold increase from the year before, Verizon reports. Stolen credentials were used in 80% of those cases. The price tag is steep. According to Ponemon Institute price tag for a successful breach averages nearly $8.2 million for US-based businesses. 

Just as quickly as the use of 2FA has been increasing, cybercriminals have been finding cunning new ways to circumvent it. 

A Mask Most Deceptive

SIM-swapping attacks are up over the last year, but so are more cunning approaches. Tools available in some phishing attack kits, for instance, can now capture 2FA passcodes just as easily as login credentials. 

Targets may receive a fraudulent “password reset” or “action required” alert with a link that points to a phishing page that looks identical to their corporate cloud email, collaboration site—or even their personal or business bank account.  

When users are prompted to enter their logins and the 2FA passcode, the kit simultaneously relays these credentials to the legitimate domain it’s impersonating. The cybercriminals are then able to infiltrate the account before the passcode’s 30-second window expires. Kits found in the wild include tools for keeping track of hacked accounts belonging to potentially tens of thousands of victims. 

If that’s too much trouble, there are simple social engineering tricks that work just fine. Cybercriminals with breached account logins for bank accounts or sensitive corporate systems, for instance, can text a fraudulent “unauthorized login” alert to the bank customer’s smart phone, adding, “If this was NOT you, please text back the code we just sent you.” 

For employees navigating the countless kinks that come with a mass shift to remote working, it may be all too easy to take the bait. 

Throw Up More Hurdles, or Avoid Attacks All Together?

More recently, physical security keys have been touted as a better way to avoid account takeovers. But while promising, their practicality remains to be seen, and they may still prove inadequate on their own. 

In my view, a far more effective approach is to prevent credentials harvesting-based phishing attacks from ever reaching employees in the first place. 

Modern identity-based protections like Agari Phishing Defense™, for example, leverage real-time threat intelligence from sender behavioral and telemetric data in order to recognize and block inbound email attacks—even if the attacks only involve simple, plain-text social engineering tricks. It also includes instances when the phishing emails themselves or are sent from accounts that have already been compromised.

So no, 2-factor authentication alone doesn’t provide the bulletproof protection many may believe it does. 

At a time when ever-evolving phishing attacks have become an epidemic of their own, a more robust, multi-layered approach that includes intelligent, identity-based defenses may be the only way to keep the contagion at bay. 

To learn more about how to protect your organization from 2FA-defeating phishing attacks, read Solving Phishing, BEC, Account Takeovers and More, from Osterman Research.

Leave a Reply

Your email will not be published. All fields are required.

Agari Blog Image

June 15, 2020 Armen Najarian

Phishing: With Zero-Day Email Attacks Rising, Are Some Companies Giving Up the Fight?

Amid a troubling rise in zero-day phishing attacks, recent research suggests that some companies may…

Agari Blog Image

April 28, 2020 Crane Hassold

COVID-19 Credential Phishing Scams: Feeding Off Coronavirus Fears

Since the beginning of February, we have seen more than a 3,000% increase in Coronavirus-themed…

Agari Blog Image

April 16, 2020 John Wilson

Romance Scams and Business Email Compromise in the Time of Coronavirus

As cybercrime gangs exploit COVID-19 to target the lonely, victims (and their banks) could get…

Agari Blog Image

February 7, 2020 Ramon Peypoch

DMARC and Lookalike Domains: How to Protect Your Customers from Getting Duped

Hint: DMARC Alone Won't Cut It Think the prospect of cybercriminals using your domains to…

Agari Blog Image

February 4, 2020 Michael Cichon

Phishing, BEC and the Supply Chain: Why Your BEC Attack Surface is Bigger Than You Think

Thanks to the rapid rise of email account takeovers, organizations worldwide are being forced to…

mobile image