A new exploit allows hackers to spoof two-factor authentication requests by sending a user to a fake login page and then stealing the username, password, and session cookie.
KnowBe4 Chief Hacking Officer Kevin Mitnick showed the hack in a public video. By convincing a victim to visit a typo-squatting domain liked “LunkedIn.com” and capturing the login, password, and authentication code, the hacker can pass the credentials to the actual site and capture the session cookie. Once this is done the hacker can login indefinitely. This essentially uses the one time 2FA code as a way to spoof a login and grab data.
“A white hat hacker friend of Kevin’s developed a tool to bypass two-factor authentication using social engineering tactics – and it can be weaponized for any site,” said Stu Sjouwerman, KnowBe4 CEO. “Two-factor authentication is intended to be an extra layer of security, but in this instance, we clearly see that you can’t rely on it alone to protect your organization.”
White hat hacker Kuba Gretzky created the system, called evilginx, and describes its implementation in a wonderfully thorough post on his site.
Sjouwerman notes that anti-phishing education is deeply important and that a hack like this is impossible to complete if the victim is savvy about security and the dangers of clicking links that come into your email box. To demonstrate this, Sjouwerman sent me an email seemingly addressed to me from Matt Burns (matt@techcrunch.com) talking about a typo in a post. When I clicked on it I was transferred to a SendGrid redirect site and dumped into TechCrunch – but the payload could have been more nefarious.
“This highlights the need for new-school security awareness training and simulated phishing because people are truly your last line of defense,” said Sjouwerman. He estimates that hackers will begin trying this technique in the next few weeks and urges users and IT managers to harden their security protocols.