The only thing most people know about two-factor authentication (2FA) is that it’s supposed to make online activity safer, and for the most part, it does. But, as you’ll see, it doesn’t do anything to protect you from a phishing attack if the phishing attack is really good.
According to Bleeping Computer, one of these “really good” phishing attacks was aimed at customers of Citibank. What makes this phishing attack really good? It “utilizes a convincing domain name, TLS certs, and even requests OTP codes that could easily cause people to believe they are submitting their personal information on a legitimate page.”
Did you catch that? It uses a one-time-PIN or OTP codes. In other words, two-factor authentication.
How does the scam work? The first part is just like any other phishing attack. The hackers convince you to login to their real-looking but fake website. If you do provide the login data, in the background the hackers will be logging into your Citibank account. What happens next is what makes the scam so good.
“If the phishing site does indeed login to the Citibank account and a user has an OTP (One-Time PIN) authentication configured on their account, it will trigger Citibank to send the code to the victim’s cell phone number. As this code will be sent from Citibank’s servers, it further lends authenticity to the phishing site. The phishing page then asks the victim to enter their OTP to continue.”
2FA didn’t do you a damn bit of good, did it? The same scam website that got your login credentials was also be used to grab your OTP code. Once you’re scammed, the phishing landing page will redirect you back to the Citibank login page. Good luck figuring out what to do next.
How do you protect yourself and others in your organization from attacks like this? There’s a clue in the paragraph above: convincing domain name. The whole ruse depends on your being convinced that the fake domain is real. It’s called domain name spoofing and it’s the cornerstone of most phishing attacks. Once you fall for it, the rest of the con is easy. But, if you can detect it upfront, you have a good chance of escaping unharmed.
What’s the best way to make sure you don’t get domain name spoofed? Use technology that doesn’t fall for domain name spoofing. Use technology that doesn’t care how closely the fake website resembles the real one. Use technology like that from DuoCircle.
Phishing Protection from DuoCircle is cloud-based email security with real-time click protection which doesn’t fall for domain name spoofing (or any other phishing tactic). And because it’s cloud-based, it requires no hardware, software or maintenance. It sets up in minutes and only costs pennies per user per month.
Don’t be fooled into thinking 2FA makes you safe from hackers. Get Phishing Protection from DuoCircle and stop worrying about it altogether.