FBI: Phishing Can Defeat Two-Factor Authentication

Human beings can be tricked. This fact is a hard-to-patch vulnerability in many systems. And that is the tl;dr version of a notice from the FBI that recently hit industry groups.

According to the Private Industry Notification, criminals are bypassing two-factor authentication with a combination of well-known techniques including social engineering and man-in-the-middle attacks.

In addition to reminding organizations of the dangers of SIM-swapping exploits, the notice points to two new hacker tools: Mureana (named for a family of eels), which automates phishing attacks, and NecroBrowser, which helps to hijack a legitimate authentication session. Together, the tools can turn a victim's browser into a credential-stealing zombie that gives no notice to the legitimate user.

The FBI recommends that companies continue to educate users on phishing techniques and, for especially high-value accounts, use a variety of different authentication methods with tokens that regularly change.

Read more here and here.

This free, all-day online conference offers a look at the latest tools, strategies, and best practices for protecting your organization’s most sensitive data. Click for more information and, to register, here.