How hackers are using phishing to bypass two-factor authentication

Two-factor authentication has been shown to prevent unauthorized users from accessing protected sites, services and data. But newer forms of attacks are seeing bad actors emulate 2FA sites to effectively sidestep the prompts and users are aiding them in compromising data by unknowingly handing them their credentials.

June 29 2018 by

Joel Windels

It’s difficult to work out what constitutes best practice when it comes to password management. The prevailing wisdom for many years was to include a blend of special characters, numbers and capital letters to deter conventional dictionary attacks – yet somewhat strangely this original advice has since been rescinded. What most security experts seem to agree on, however, is that two-factor authentication (known as 2FA) is undoubtedly more secure than a simple username and password combinations. It’s something we agree on here at Jamf, which is why it was implemented as a feature in our security software.

However, like so many other security features, it is a mistake to assume this defense against attack is watertight. A 2FA-protected account is still vulnerable to attack, even among the most widely used and trusted services. That includes enterprise services like Apple, Microsoft, Paypal and LinkedIn.

So how can these generally secure services be accessed by attackers when 2FA is enabled? Here’s an example of such an attack, using the Google account of a high-value target – though this would also work for a hacker targeting any employee of any organization, and crucially for any type of account.

Distributing fake login pages to bypass 2FA

As phishing has evolved and moved increasingly towards mobile, phishers have also looked beyond email to distribute phishing links. Our own research suggests that 81% of phishing attacks now take place outside email and are increasingly targeting messaging and social media apps like Skype, WhatsApp, SMS (‘smishing’), and even Tinder. To make matters worse, users are 3 times more likely to click on a phishing link on mobile than on desktop.

An attack begins when a phishing link is distributed to the target, using a fake version of a page that they know the target will be interested in. One popular example is something embarrassing or sensitive, such as messages suggesting someone’s photos have been revealed somewhere online. Another would be a concerning message sent internally (or shared via Facebook) that the target’s salary might have been published somewhere online.

Regardless of the specific technique used, the hacker will eventually find a way to divert the target to a fake login page for the desired service (in this case Google). This landing page is a very accurate copy of the Google login page, and even traditional phishing detection methods may not work.

On mobile, this is amplified, with user attention typically less focused and other unique factors also playing a role: such as the smaller screen size and the obscured domain information. Even observation of the URL may not always be sufficient for detection. Many modern mobile phishing attacks make use of ‘blank’ emoji in the domain name (⚪⚪⚪⚪ will show as invisible in many browsers) and an increasing number have taken advantage of free certificate services to make sure that even these phishing pages are hosted on supposedly ‘secure’ and registered domains. The threat research team at Jamf also discovered an uptick in punycode attacks targeting mobile users with malicious domains that use Unicode characters in the domain to imitate popular brands including Google, Adidas, Rolex and British Airways.

How a phishing landing page can be used to bypass 2FA

This diagram shows how the attack can be undertaken. The left-hand side, highlighted in blue, illustrates the experience from the target’s perspective, having been directed to a fake login page. The grey actions to the right are the actions taken by the attacker.

To explain this process in detail, it begins with the victim entering a login page for Office365, iCloud, Paypal, etc. The target, believing the landing page to be authentic, enters their credentials into the fake login form. The fake login form then prompts the user with a two-factor SMS request.

Meanwhile, the hacker, with access to all of the credentials entered into this page, takes the target’s username and password and enters them into the legitimate Google site. This can even be an automated process to carry out this attack at scale. After entering these details to try and access the account, Google’s real 2FA protection kicks in and asks the hacker for the 2FA code. By doing this, an SMS is sent to the target’s phone by Google. The hacker doesn’t even need to know the target’s phone number. As this attack takes place in real-time, this SMS is triggered by the hacker within 30 seconds of the initial phishing attempt. The target then receives a legitimate text from Google, which includes the 2FA code. As this is genuinely from Google, there will be nothing unusual about the text – meaning there is no cause for suspicion by the target.

The target enters this code into the phishing page, thus successfully passing the 2FA prompt. Unknown to the target, any code will have worked in the field as the whole login procedure is only used for harvesting credentials and not for testing the authenticity of the target’s account information. The code that the target enters into this field is immediately visible to the hacker. The attacker’s next step is to use this code to complete the real Google login process, and thus gain access to the target’s account.

When exploiting a service like Apple, Google or Microsoft, this often presents the keys to a wide range of services, including all sorts of sensitive information. This attack shows that even the protection of 2FA is not enough to totally prevent data loss events. On mobile, this has become a particular area of concern for many businesses. Organizations with a serious approach to security have been embracing large-scale education programs to ensure employees are suitably trained when it comes to detecting a phishing attempt, and recognize that these attacks take place across thousands of different channels and not just their inbox).

Yet training alone is unlikely to be enough. That’s why a number of the world’s leading organizations have employed Jamf, which automatically blocks connections to known – and unknown – phishing domains. The reality is that even the most shrewd of employees are still vulnerable to mistakenly clicking on what could be a malicious link. Whenever an employee attempts to access any one of these millions of suspicious domains, security teams can feel safe that Jamf will prevent the page from ever loading, stopping the attack before it has even begun.

Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.