Contact us today!
(800) 588-4430

Telesys Voice and Data Blog

Telesys Voice and Data has been serving the Dallas/Fort Worth area since 1994, providing IT Support such as technical helpdesk support, computer support, and consulting to small and medium-sized businesses.

With Phishing Attacks Beating 2FA, You Need to Be Able to Spot Them

With Phishing Attacks Beating 2FA, You Need to Be Able to Spot Them

Unfortunately, one of the most effective defenses against phishing attacks has suddenly become a lot less dependable. This means that you and your users must be ready to catch these attempts instead. Here, we’ll review a few new attacks that can be included in a phishing attempt, and how you and your users can better identify them for yourselves.

How Has Two-Factor Authentication (2FA) Been Defeated?

There are a few different methods that have been leveraged to bypass the security benefits that 2FA is supposed to provide.

On a very basic level, some phishing attacks have been successful in convincing the user to hand over their credentials and the 2FA code that is generated when a login attempt is made. According to Amnesty International, one group of hackers has been sending out phishing emails that link the recipient to a convincing, yet fake, page to reset their Google password. In some cases, fake emails like this can look very convincing, which makes this scheme that much more effective.

As Amnesty International investigated these attacks, they discovered that the attacks were also leveraging automation to automatically launch Chrome and submit whatever the user entered on their end. This means that the 30-second time limit on 2FA credentials was of no concern.

In November 2018, an application on a third-party app store disguised as an Android battery utility tool was discovered to actually be a means of stealing funds from a user’s PayPal account. To do so, this application would alter the device’s Accessibility settings to enable the accessibility overlay feature. Once this was in place, the user’s clicks could be mimicked, allowing an attacker to send funds to their own PayPal account.

Another means of attack was actually shared publicly by Piotr Duszyński, a Polish security researcher. His method, named Modlishka, creates a reverse proxy that intercepts and records credentials as the user attempts to input them into the impersonated website. Modlishka then sends the credentials to the real website, concealing its theft of the user’s credentials. Worse, if the person leveraging Modlishka is present, they can steal 2FA credentials and quickly leverage them for themselves.

How to Protect Yourself Against 2FA Phishing

First and foremost, while it isn’t an impenetrable method, you don’t want to pass up on 2FA completely, although some methods of 2FA are becoming much more preferable than others. At the moment, the safest form of 2FA is to utilize hardware tokens with U2F protocol.

Even more importantly, you need your entire team to be able to identify the signs of a phishing attempt. While attacks like these can make it more challenging, a little bit of diligence can assist greatly in preventing them.

When all is said and done, 2FA fishing is just like regular phishing… there’s just the extra step of replicating the need for a second authentication factor. Therefore, a few general best practices for avoiding any misleading and malicious website should do.

First of  all, you need to double-check and make sure you’re actually on the website you wanted to visit. For instance, if you’re trying to access your Google account, the login url won’t be www - logintogoogle - dot com. Website spoofing is a very real way that (as evidenced above) attackers will try to fool users into handing over credentials.

There are many other signs that a website, or an email, may be an attempt to phish you. Google has actually put together a very educational online activity on one of the many websites owned by Alphabet, Inc. Put your phishing identification skills to the test by visiting, and encourage the rest of your staff to do the same!

For more best practices, security alerts, and tips, make sure you subscribe to our blog, and if you have any other questions, feel free to reach out to our team by calling (800) 588-4430.


No comments yet
Already Registered? Login Here
Friday, 24 January 2020
If you'd like to register, please fill in the username, password and name fields.

Captcha Image

Free Consultation

Sign up today for a
FREE Network Consultation

How secure is your IT infrastructure?
Let us evaluate it for free!

Sign up Now!

Free Consultation

Tag Cloud

Security Tip of the Week Technology Cloud Business Computing Best Practices Hackers Malware Privacy Email Business Productivity Hosted Solutions Microsoft Network Security Software Internet IT Services Windows 10 Productivity Computer Managed Service Provider Backup Data Backup Ransomware Innovation Mobile Devices Business Continuity Smartphone Outsourced IT Upgrade Google Data Android Hardware Efficiency Data Recovery Disaster Recovery Social Media Managed IT services User Tips Browser Communication IT Support Workplace Tips IT Support Small Business Cloud Computing Managed IT Services Data Management Business Management Smartphones App Miscellaneous Server Holiday Microsoft Office Network Internet of Things Office Remote Monitoring Phishing communications Paperless Office WiFi Office 365 Cybersecurity Windows Password Facebook VoIP Save Money Spam Passwords Tech Term Artificial Intelligence Gmail Big Data Encryption Customer Relationship Management Employer-Employee Relationship Windows 10 Risk Management Collaboration Document Management Bandwidth Firewall Unified Threat Management Saving Money Apps Hosted Solution Recovery Robot Wi-Fi Office Tips Money Managed IT Infrastructure Chrome Work/Life Balance Analytics Tip of the week Apple Avoiding Downtime Compliance Vendor Management Word Hacker Customer Service Mobile Device Management Operating System Windows 7 Content Filtering Remote Computing How To Downtime Government Project Management Data loss BDR Outlook SaaS BYOD Business Technology Two-factor Authentication Settings Telephone Systems Health The Internet of Things File Sharing Computers Healthcare Vulnerability Hacking Mobile Computing Help Desk Tech Support Automation Managed Service Going Green Data Security Alert Education Printing Data storage Cybercrime Applications IT Management Computing Software as a Service Mobile Device Presentation Business Growth Antivirus Social Redundancy Virtual Reality Training Website YouTube User Automobile Upgrades Unified Communications Budget End of Support Access Control Retail LiFi Laptops Mouse Best Practice Lithium-ion battery Business Owner Legal Display Patch Management Solid State Drive Augmented Reality Identity Theft Scam Marketing Twitter Monitors Running Cable Politics IBM Travel Google Drive VPN Competition Websites Assessment Search Regulations Physical Security Bring Your Own Device Server Management Taxes Sports Licensing Information Technology IT service Virtual Private Network Botnet Consultation Cortana Digital Payment Humor Samsung Virtualization Net Neutrality Administration Proactive Maintenance Meetings Smart Technology Analyitcs Storage Safety HIPAA IT solutions Remote Monitoring and Management Router Computer Care Wireless Technology Mobile Security Wireless Tablet Specifications Error Mirgation Staffing Comparison Fleet Tracking Zero-Day Threat Windows 8 Proactive Maintenance Network Management Cookies Break Fix Data Breach Printer Windows Server 2008 Company Culture Domains Language 5G Migration GPS Entrepreneur Black Friday Asset Tracking Backup and Disaster Recovery VoIP Technology Laws Processor Touchscreen Web Server Nanotechnology Google Maps Update Application Dark Web Co-Managed IT Users Vulnerabilities Disaster Public Speaking Computing Infrastructure Digital iPhone Administrator Chatbots Tracking 3D Printing Cyber Monday Lenovo Remote Workers RMM Unified Threat Management Cameras IoT Chromebook Data Warehousing Network Congestion SharePoint Business Telephone Shortcut Geography Uninterrupted Power Supply Law Enforcement Alerts Procurement Spyware Identity Unsupported Software flu season Superfish Information business communications systems Active Directory CCTV Laptop Utility Computing Emoji Hard Drives Microsoft Excel Downloads Virtual Desktop Cables Gadget Cooperation Remote Worker How To Mobile Data Fort Worth Hacks Monitoring Internet Protocol Windows Server Heating/Cooling Halloween Refrigeration Blockchain PowerPoint Multi-Factor Security Wires Electronic Health Records Hard Disk Drive Staff Professional Services Firefox Fun Supercomputer flu shot Current Events Networking Deep Learning Consulting VoIP streamlines User Management Servers G Suite Scary Stories Cost Management Consumers Processors Permissions Google Calendar Cyberattacks Flexibility Virtual Assistant Motion Sickness IT Budget Fort Worth IT business network infrastructure Batteries Hard Drive Undo Fraud Google Docs Operations Writing Legislation MSP Bookmarks eWaste IP Address Voice over Internet Protocol Social Networking Personal Information DFW IT Service IT Sevices Techology Alt Codes Remote Work Statistics IT Consultant Recycling Software Tips Wearable Technology Social Engineering Mail Merge Favorites Environment Machine Learning Mobile Office Typing Motherboard Computer Repair Disaster Resistance File Management Bluetooth Cleaning Buisness Management Notifications Internet Exlporer Address Conferencing Corporate Profile Troubleshooting Relocation Cryptocurrency Manufacturing Quick Tips Webcam Knowledge Electronic Medical Records Distributed Denial of Service Google Wallet Proactive IT data services Telephone Enterprise Resource Planning History Crowdsourcing Dark Data IT Technicians Phone System Technology Tips WPA3 Employees WannaCry Private Cloud Bitcoin Gadgets Time Management Point of Sale Experience Modem Managed IT Service Drones IT Consulting User Error Mobile VoIP Mobility Mobile Cabling Hotspot

Top Blog

Don't be Afraid to Replace Got an older PC that's causing you a lot of issues? Older technology is typically more expensive to run, and after a while, it's cheaper to simply buy a new desktop than it is to continue pouring money into something that always seems broken. It's a great time to buy wo...