Scam Of The Week: Nasty Two-factor Auth Text Hack
-
We all know that two-factor authentication (2FA) is much better than just simple user/password credentials. However, there is a nasty spoofing trick that bypasses 2FA if the user does not pay attention. Warn your users that have 2FA-enabled accounts against this, which are usually key people with access to sensitive information.
-
Using creds from the massive databases with tens of millions of credentials that have surfaced the last few weeks -- notably from LinkedIn, My Space and Twitter, or
-
Sending a phishing email with a malicious attachment which installs a keylogger on the box and sends the credentials back to the hacker
Once they have the creds, here's the 4 steps how this scam goes down:
-
The attacker sends the target a text message, spoofing the company that the target has an account with. The text states they have detected "suspicious" activity to the account, and so are sending the 2FA code to the target, which they should then text back to them to avoid having their account locked.
-
The attacker logs into the account with the known credentials, which prompts the 2FA code to be sent to the target.
-
The (worried) target tries to prevent a negative consequence and texts the code back to the attacker, but by doing that they give the hacker just the thing they needed to break into the account.
-
The hacker now enters the victim's 2FA code, and they're in. The French would say: "Simple comme Bonjour".
So, I would send an email to your employees, friends and family who have any of their accounts protected with 2FA. Feel free to copy/paste/edit:
"There is a new scam you need to watch out for if you log into your accounts and have to wait for a text message on your phone to enter and only then log in. This more secure system is called "2-factor authentication". These two factors are:
- one thing you need to know -- your password
- one thing you have to have -- the text code on your phone
Now, criminal hackers are trying to get past this with a nasty trick you need to watch out for. Tens of millions of hacked user names and passwords have recently surfaced -- yours may be one of them -- and they are using these for this scam.
They send you a fake (spoofed) text that looks like it's from the company you have an account with, claiming that your account may be hacked or that there is suspicious activity happening.
In the same text they say they will send you your verification code and that you need to send that right back to them or your account gets closed. But if you text that verification code back, you have given the hacker just the thing they needed to hack into your account!
TIP TO STAY SAFE
If your accounts are protected by 2-factor authentication, the only time you will be sent the code is to verify an attempt to log into your account. That means if you did not just try to log in and you suddenly receive a verification code through a text message to your smartphone, it is because a scammer who already has your user name and password is trying to hack into your account.
Never provide your verification code to anyone. Only use it to input the code into your smartphone or computer when you log into a 2-factor authentication protected account. And as a reminder, never give out personal information, such as your Social Security number or credit card numbers in response to a text message (or email) because you simply cannot know for sure who is really on the other end of that communication line.
Remember, Think Before You Click!"
I would send this right away to people in Accounting, HR, Legal, and C-level execs that have 2FA accounts set up for them.
Let's stay safe out there.
Warm regards,
Stu Sjouwerman
Founder and CEO of KnowBe4, Inc.
www.KnowBe4.com -
-
Why would you send the 2FA to some random phone number that asked for your to do this?
this is one bit of social engineering I wouldn't expect to be all that successful, will it be zero % successful, sadly no, but I don't expect it to be more than 2-3% successful.
-
@Dashrender said in Scam Of The Week: Nasty Two-factor Auth Text Hack:
Why would you send the 2FA to some random phone number that asked for your to do this?
this is one bit of social engineering I wouldn't expect to be all that successful, will it be zero % successful, sadly no, but I don't expect it to be more than 2-3% successful.
Of course it would be successful 2FA is black magic to users they have no idea what it really does
-
@JaredBusch said in Scam Of The Week: Nasty Two-factor Auth Text Hack:
Of course it would be successful 2FA is black magic to users they have no idea what it really does
Or why they use it or when it would be requested.
-
@scottalanmiller said in Scam Of The Week: Nasty Two-factor Auth Text Hack:
@JaredBusch said in Scam Of The Week: Nasty Two-factor Auth Text Hack:
Of course it would be successful 2FA is black magic to users they have no idea what it really does
Or why they use it or when it would be requested.
How often do you see that being the case? Perhaps as more and more companies require it, users will be forced to use it while having no clue as to what it does or why.
-
@Dashrender said in Scam Of The Week: Nasty Two-factor Auth Text Hack:
@scottalanmiller said in Scam Of The Week: Nasty Two-factor Auth Text Hack:
@JaredBusch said in Scam Of The Week: Nasty Two-factor Auth Text Hack:
Of course it would be successful 2FA is black magic to users they have no idea what it really does
Or why they use it or when it would be requested.
How often do you see that being the case? Perhaps as more and more companies require it, users will be forced to use it while having no clue as to what it does or why.
I don't know for sure, but I'd assume "almost always."
-
@scottalanmiller said in Scam Of The Week: Nasty Two-factor Auth Text Hack:
@Dashrender said in Scam Of The Week: Nasty Two-factor Auth Text Hack:
@scottalanmiller said in Scam Of The Week: Nasty Two-factor Auth Text Hack:
@JaredBusch said in Scam Of The Week: Nasty Two-factor Auth Text Hack:
Of course it would be successful 2FA is black magic to users they have no idea what it really does
Or why they use it or when it would be requested.
How often do you see that being the case? Perhaps as more and more companies require it, users will be forced to use it while having no clue as to what it does or why.
I don't know for sure, but I'd assume "almost always."
Do you know anyone who's forced to use 2FA? I guess I do now, my doctors - their 2FA is a phone call from the hospital automated system. IF they are logging in, they will get a phone call where they have to press 1 to indicate it was them who is attempting to log in. If they aren't attempting to login and they get the phone call, they should just hang up and contact the help desk.
-
@Dashrender said in Scam Of The Week: Nasty Two-factor Auth Text Hack:
Do you know anyone who's forced to use 2FA?
Of course. All of the employees of normal companies. Do you really not know thousands of people like this? I'd be surprised. maybe they just aren't talking about it because outside of IT who really talks about this kind of stuff?
-
@scottalanmiller said in Scam Of The Week: Nasty Two-factor Auth Text Hack:
@Dashrender said in Scam Of The Week: Nasty Two-factor Auth Text Hack:
Do you know anyone who's forced to use 2FA?
Of course. All of the employees of normal companies. Do you really not know thousands of people like this? I'd be surprised. maybe they just aren't talking about it because outside of IT who really talks about this kind of stuff?
Perhaps I do, and you're right, it's not talked about.
-
@Dashrender said in Scam Of The Week: Nasty Two-factor Auth Text Hack:
I guess I do now, my doctors - their 2FA is a phone call from the hospital automated system. IF they are logging in, they will get a phone call where they have to press 1 to indicate it was them who is attempting to log in. If they aren't attempting to login and they get the phone call, they should just hang up and contact the help desk.
Exactly. And every enterprise IT person I know uses two factor. Of some sort at least. Whether it is an internal system, SSH Keyphrases, RSA cards, Aladdin cards, Google Authenticator... 2FA is pretty darn common.
-
@scottalanmiller said in Scam Of The Week: Nasty Two-factor Auth Text Hack:
@Dashrender said in Scam Of The Week: Nasty Two-factor Auth Text Hack:
I guess I do now, my doctors - their 2FA is a phone call from the hospital automated system. IF they are logging in, they will get a phone call where they have to press 1 to indicate it was them who is attempting to log in. If they aren't attempting to login and they get the phone call, they should just hang up and contact the help desk.
Exactly. And every enterprise IT person I know uses two factor. Of some sort at least. Whether it is an internal system, SSH Keyphrases, RSA cards, Aladdin cards, Google Authenticator... 2FA is pretty darn common.
Sure, those are IT persons. They though are expected to understand 2FA, and shouldn't fall for this type of trick as posted in the OP.
So let's talk about normals - outside of IT, do you see a lot of people using 2FA?
-
@Dashrender said in Scam Of The Week: Nasty Two-factor Auth Text Hack:
So let's talk about normals - outside of IT, do you see a lot of people using 2FA?
I thought that I just said that. Every enterprise that I know uses 2FA. For everyone. Just part of normal computer usage. I'm sure lots don't, but enough do that I always see it.
-
@scottalanmiller said in Scam Of The Week: Nasty Two-factor Auth Text Hack:
@Dashrender said in Scam Of The Week: Nasty Two-factor Auth Text Hack:
So let's talk about normals - outside of IT, do you see a lot of people using 2FA?
I thought that I just said that. Every enterprise that I know uses 2FA. For everyone. Just part of normal computer usage. I'm sure lots don't, but enough do that I always see it.
OK, well, in that case, I do know that most of my local friends who work in enterprise do not use 2FA.
-
@Dashrender said in Scam Of The Week: Nasty Two-factor Auth Text Hack:
@scottalanmiller said in Scam Of The Week: Nasty Two-factor Auth Text Hack:
@Dashrender said in Scam Of The Week: Nasty Two-factor Auth Text Hack:
So let's talk about normals - outside of IT, do you see a lot of people using 2FA?
I thought that I just said that. Every enterprise that I know uses 2FA. For everyone. Just part of normal computer usage. I'm sure lots don't, but enough do that I always see it.
OK, well, in that case, I do know that most of my local friends who work in enterprise do not use 2FA.
Do they do anything important like work in content, finance, accounting, HR, etc.?
