Security is not an easy thing at all, and while we may have thought that two-factor authentication was a protection against having our accounts hacked, a new exploit now allows hackers to spoof those authentication requests by sending users to fake login pages and subsequently stealing their username, password, and session cookie.
The exploit was shown by KNowBe4 Chief Hacking Officer Kevin Mitnick in a video that was made public today.
The hack requires a user to visit a fake web site where their login, password, and authentication code could be stolen. At this point, the hacker can pass the correct credentials to a legitimate website before capturing the session cookie. This would allow a successful login, partly because the hack uses the same one-time two-factor authentication code as a way to spoof an authenticated login.
“A white hat hacker friend of Kevin’s developed a tool to bypass two-factor authentication using social engineering tactics – and it can be weaponized for any site,” said Stu Sjouwerman, CEO of KnowBe4 said. “Two-factor authentication is intended to be an extra layer of security, but in this instance, we clearly see that you can’t rely on it alone to protect your organization.”
That system was created by hacker Kuba Gretzky, who subsequently named it evilginx. Gretzky also detailed the whole thing in a post on his website, which makes for quite the read.
The only protection that would work against this method of attack would be to decrease the risk of phishing attacks on users, possibly via education. Technologically savvy users are unlikely to fall foul of such a hack, but with those who do not know better also being more likely to be fooled into visiting fake websites that look like the target site, the problem is most definitely a case of education.
“This highlights the need for new-school security awareness training and simulated phishing because people are truly your last line of defense,” according to Sjouwerman. We couldn’t agree more.