How Two-Factor Authentication Can Be Bypassed – Demonstrated By KnowBe4
Most commonly used method to lessen the jeopardies of password phishing attacks is two-factor authentication. According to the security and training vendor KnowBe4, two-factor authentication can now be tricked and bypassed by the attackers.
In a video posted earlier this month, by chief hacking officer at KnowBe4, Kevin Mitnick, illustrated his latest project Evilginx, which is a framework for capturing credentials in real time, and a method by which 2FA could be surpassed and spoofed. In video, he showed how a fake login page can be used to trick consumers into entering their login and 2FA credentials. He used the same session ID token that was generated from the fake site to gain access to data and to respective legitimate site.
On this, Roger Grimes, spokesperson from KnowBe4 said that, “this particular 2FA bypass isn’t new, and KnowBe4 didn’t discovered this approach.” He also added, “You’ll hear a lot of people say that 2FA is the solution to defeat phishing, and while using 2FA can help defeat some, simple forms of phishing, it doesn’t come close to stopping all forms of phishing and social engineering”.
“There are some scenarios that Evilginx and similar attacks may not work on, but it’s more important to realize that there isn’t a 2FA scenario that can’t be hacked one way or another, and sometimes it’s as simple as sending a phish email”.
Must Read : How to Remove Malware and Adware from Your Mac
How Does It Work?
It works as a phishing scam. Once the users enter their login and 2FA credentials, it is sent to the authenticated website. Then from there on the hackers seize the approved session authentication token or cookie, which is sent back to the user by the site after being successfully authenticated by it.
Let’s see step by step, how it actually works:
1. A phishing link is generated by an attacker, pointing to server running Evilginx.
2. This phishing link is then received by the victim through the available communication medium (email, messenger etc.).
3. As soon as the victim clicks the link, Evilginx’s proxied Google sign-in page is presented.
4. Where, victim will enter the login credentials and two-factor authentication code. After the successful login, user will be redirected to a specified URL.
5. As soon as the user is redirected to the URL, actors will get the access to the victim’s email and password, and in order to take full control of the session, actors can also import session cookies into hacker’s browser. This way any two-factor authentication can be bypassed and spoofed on user account.
What Should Be Done to Stay Safe?
There are several ways to lessen the risk of 2FA bypass. All these methods were told by the Roger Grimes, spokesperson from KnowBe4.
1. Only reply to the emails that are essential and learn to recognize & avoid responding to phishing emails.
2. Another method is using a strong authentication method, like FIDO approach. So, if the website visited provides FIDO approach then the user session can be saved from the attack.
If you found this helpful, please let us know. You can also drop your feedback in the comment section below.