New tool automates phishing attacks that bypass 2FA

handinpalm

Pulling my weight
Joined
Sep 21, 2016
Messages
275
Reaction score
192
Location
Tampa Bay FL
Now this is really scary. This reverse proxy tool can circumvent your 2 factor authentication. This just happened on large scale with YouTube accounts. And I thought my online financial transactions with 2FA were safe. Have to be extra careful about phishing attacks!

New tool automates phishing attacks that bypass 2FA | ZDNet
 

CCTVCam

Pulling my weight
Joined
Sep 25, 2017
Messages
503
Reaction score
241
If I read it correctly though, they still have to phish you to go to the false site 1st though. This isn't something that can extract your information just through normal web usage.
 

catcamstar

Known around here
Joined
Jan 28, 2018
Messages
1,048
Reaction score
662
If I read it correctly though, they still have to phish you to go to the false site 1st though. This isn't something that can extract your information just through normal web usage.
What they do, is a "real" man-in-the-middle attack. YOUR device thinks it's going straight to the real-deal site, however that real-deal site gets "transparently" cached and forwarded to your device. For this to happen, this forgery has to take place really close to the source or really close to the destination (as being on your LAN), as (for example) DNS requests can be manipulated and redirection happens "transparently".
 

CCTVCam

Pulling my weight
Joined
Sep 25, 2017
Messages
503
Reaction score
241
I understand that, but in order to reach the middle man address, you 1st have to click a phishing link taking you to the middle man site though correct? Presumably if you google Amazon you'll always end up at Amazon.com (or your local Amazon site). Presumably if the Phishers send you an email containing a link to "Amazon", you end up at the middle man site which then poses as Amazon in all stages including during the 2 step login.

I'm assuming of course this isn't the scenario of an inside job where someone at the final site eg Amazon inserts said server into their LAN, in which the genuine IP will take you also to the phisher.

So all of this surely means inside job apart, you still have to be phished to go to the wrong site in the 1st place. Which makes it frightening but not catastrophic as current simple precautions such as not following links in eg bank emails, means you still won't get phished.
 

catcamstar

Known around here
Joined
Jan 28, 2018
Messages
1,048
Reaction score
662
I understand that, but in order to reach the middle man address, you 1st have to click a phishing link taking you to the middle man site though correct? Presumably if you google Amazon you'll always end up at Amazon.com (or your local Amazon site). Presumably if the Phishers send you an email containing a link to "Amazon", you end up at the middle man site which then poses as Amazon in all stages including during the 2 step login.

I'm assuming of course this isn't the scenario of an inside job where someone at the final site eg Amazon inserts said server into their LAN, in which the genuine IP will take you also to the phisher.

So all of this surely means inside job apart, you still have to be phished to go to the wrong site in the 1st place. Which makes it frightening but not catastrophic as current simple precautions such as not following links in eg bank emails, means you still won't get phished.
No, if (as example) amazon.com's production IP is hosted on X.Y.Z.Q, and you inject DNS spoofs that grab X.Y.Z.Q and translate it to A.B.C.D running on that spooky "gateway" which grabs all content from X.Y.Z.Q, you won't notice anything (apart from the SSL certificate hosted on A.B.C.D not being signed by Amazon.com's legit SSL party, but hey, everybody learned today that a YELLOW LOCK means SECURITY, however nobody checks the signing party of that yellow lock).
 

CCTVCam

Pulling my weight
Joined
Sep 25, 2017
Messages
503
Reaction score
241
So basically your fear is that someone will sit one of these servers into the IP hops that take route traffic across the internet and spoof you pc into thinking it's reached the end destination when in fact it's only gone part way across the internet?

Otherwise I fail to see how it can happen if it has to happen locally at my end or in my example Amazons (just using Amazon as an example, I'm sure they have good security). My end it can't happen, as I'd think I notice it if there was an extra pc in my house or sat attached to the telegraph pole across the road.

At eg Amazon's end, it would surely take a rogue employee and someone who could position a pc between the server and router without it being noticed. In the internet part, the DNS is determined by the DNS server at your IP or DNS server choice if using an independent, so surely then the only way top insert the middle server component would have it to somehow form one of the server hops between your IP and the DNS determined IP of the destination as mentioned above.
 

catcamstar

Known around here
Joined
Jan 28, 2018
Messages
1,048
Reaction score
662
Hang on, it does not need to be an extra visible pc in your house, it might be a "hijacked" IoT device (eg your smart fridge) which resides in the same LAN as you are...

Hence my suggestion to use vlans to separate those devices from your real (precious) network devices.
 

bp2008

Staff member
Joined
Mar 10, 2014
Messages
9,128
Reaction score
6,343
Location
USA
Phishing scams don't need to hijack a device on your LAN or manipulate DNS responses. That makes their job a lot harder for very little reward.

Basically what a phishing scammer does is:

1) Register a domain like "amezon.com". Or, more realistically, something like "amazon.com.loginform.io".
2) Get a valid SSL certificate for that domain (easy, because they own the domain).
3) Set up a website that looks like the one they are pretending to be. The tool described in the article helps with this.
4) Distribute links to their fake site by any and all means. Email, forums, social media, etc.

A lot of people won't check the address bar very carefully (or not at all), and a lot of people would have trouble telling a legitimate amazon.com from a fake one if you gave them a side-by-side comparison with the important bits highlighted. That is the biggest problem here.
 

mat200

IPCT Contributor
Joined
Jan 17, 2017
Messages
4,777
Reaction score
2,642
Of course the fun stuff was when they used to be able to overlay images ( such as the "lock" image ) on your browser...
 

handinpalm

Pulling my weight
Joined
Sep 21, 2016
Messages
275
Reaction score
192
Location
Tampa Bay FL
Hang on, it does not need to be an extra visible pc in your house, it might be a "hijacked" IoT device (eg your smart fridge) which resides in the same LAN as you are...
I only have 1 IOT device (thermostat that had to be used w/ HVAC) in my home. I placed the device on a guest WIFI and blocked it from the LAN (ASUS Router). Same w/ Roku sticks. I hope this is enough.
 
Last edited:

CCTVCam

Pulling my weight
Joined
Sep 25, 2017
Messages
503
Reaction score
241
Phishing scams don't need to hijack a device on your LAN or manipulate DNS responses. That makes their job a lot harder for very little reward.

Basically what a phishing scammer does is:

1) Register a domain like "amezon.com". Or, more realistically, something like "amazon.com.loginform.io".
2) Get a valid SSL certificate for that domain (easy, because they own the domain).
3) Set up a website that looks like the one they are pretending to be. The tool described in the article helps with this.
4) Distribute links to their fake site by any and all means. Email, forums, social media, etc.

A lot of people won't check the address bar very carefully (or not at all), and a lot of people would have trouble telling a legitimate amazon.com from a fake one if you gave them a side-by-side comparison with the important bits highlighted. That is the biggest problem here.
That's exactly what I'm saying above BP :goodpost:.

Although a very interesting post / development, I don't see how this development threatens you anymore than a traditional scam as it still relies on you to click a link in eg a phishing email to take you to a domain that appears to be the domain you want, but in actuality is a clone or live image of the real domain. The only difference is you can no longer rely on confirmation codes logins to save you if you click the wrong domain.

Or to put it another way, as I suggested above, if you google eg Amazon.com, and click on the top search result, then you should go to Amazon.com and short of them inserting a middle server in your home or at Amazon, I fail to see how this could threaten you. The danger comes from clicking on a link to a spoof site which means following a link in a phishing email.

As for smart devices in your home, I see the potential, although question whether eg a fridge, would have the computing power to live serve an entire website. Either way, I don't have SMART devices, nor will I ever have, (anyone wondering why need look no further than a certain smart helper box that can allegedly records conversations as a side feature and sends them to a big corporations servers where staff can listen to them), so for me it's no biggy.
 
Last edited:

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
11,627
Reaction score
3,742
Location
Scotland
and short of them inserting a middle server in your home or at Amazon
Or actually just anywhere on the internet. Not in your home. Not in Amazon.

although question whether eg a fridge, would have the computing power to live serve an entire website.
It would just need to poison the DNS in your router.
Or your router could have been compromised, as large numbers have been.

Although a very interesting post / development, I don't see how this development threatens you anymore than a traditional scam as it still relies on you to click a link in eg a phishing email to take you to a domain that appears to be the domain you want, but in actuality is a clone or live image of the real domain. The only difference is you can no longer rely on confirmation codes logins to save you if you click the wrong domain.
It's much more transparent, and and would only be transiently noticed, unlike a malicious clone web site.
 

CCTVCam

Pulling my weight
Joined
Sep 25, 2017
Messages
503
Reaction score
241
Or actually just anywhere on the internet. Not in your home. Not in Amazon.
I think I suggested that in post 6. However, the flaw is still the human factor. Don't click malicious links and you shouldn't be on the wrong site.


It would just need to poison the DNS in your router.
Or your router could have been compromised, as large numbers have been.
OK beyond my knowledge. Again Smart device owners need to be wary. Personally not an issue. One reason why I don't want smart devices is security. The more you use the more you compromise your privacy and security. Your inviting web servers, microphones, cameras etc into your home that you don't have full control over. That to my mind is plain stupid and outweighs the benefits. You know as I sit here typing this, my web camera on top of my monitor has a soft sunglasses case wrapped around it. The one built into my laptop has insulating tape stuck over it. The only time either is uncovered is if and when I'm using a Skype. The reason why can be seen here:


Even where loop holes in Windows that allow for capture of control of your web cam have been filled, there's still the same potential for you to download a malicious file giving control. You can buy security software that gives you remote control of you laptop or phones camera if its stolen. If it works legitimately, then it's open for someone to use the same techniques to give them control of it through you clicking an unknowingly installing / downloading a file in the background.


It's much more transparent, and and would only be transiently noticed, unlike a malicious clone web site.
I can see how that would be the case for a consumer. For a big web company, hopefully they're monitoring for servers making repeated connections to different accounts.
 

CCTVCam

Pulling my weight
Joined
Sep 25, 2017
Messages
503
Reaction score
241
Not that I'm aware but I could be wrong. The stream itself is encrypted.
 

Holbs

Pulling my weight
Joined
May 1, 2019
Messages
158
Reaction score
134
Location
Reno, NV
Maybe I'm old....or have been around the block. Anytime I get an email with a link to amazon, bank, auction site, this or that... I NEVER NEVER click on the link itself but go directly to the website itself.
Also have ScriptSafe, ABP, uBlock, and Malwarebytes running 24/7 on my main pc.
I do click on the links for my online dating site stuff. Just incase, the dude trying to phish me has a 6-pack or has more money than me :)
 
Top