• chevron_right

      I’m a security reporter and got fooled by a blatant phish

      news.movim.eu / ArsTechnica · Thursday, 11 August, 2022 - 22:57 · 1 minute

    This is definitely not a Razer mouse—but you get the idea.

    Enlarge / This is definitely not a Razer mouse—but you get the idea. (credit: calvio via Getty Images )

    There has been a recent flurry of phishing attacks so surgically precise and well-executed that they've managed to fool some of the most aware people working in the cybersecurity industry. On Monday, Tuesday, and Wednesday, two-factor authentication provider Twilio, content delivery network Cloudflare, and network equipment maker Cisco said phishers in possession of phone numbers belonging to employees and employee family members had tricked their employees into revealing their credentials. The phishers gained access to internal systems of Twilio and Cisco. Cloudflare's hardware-based 2FA keys prevented the phishers from accessing its systems.

    The phishers were persistent, methodical and had clearly done their homework. In one minute, at least 76 Cloudflare employees received text messages that used various ruses to trick them into logging into what they believed was their work account. The phishing website used a domain (cloudflare-okta.com) that had been registered 40 minutes before the message flurry, thwarting a system Cloudflare uses to be alerted when the domains using its name are created (presumably because it takes time for new entries to populate). The phishers also had the means to defeat forms of 2FA that rely on one-time passwords generated by authenticator apps or sent through text messages.

    Creating a sense of urgency

    Like Cloudflare, both Twilio and Cisco received text messages or phone calls that were also sent under the premise that there were urgent circumstances—a sudden change in a schedule, a password expiring, or a call under the guise of a trusted organization—necessitating that the target takes action quickly.

    Read 14 remaining paragraphs | Comments

    • chevron_right

      Ongoing phishing campaign can hack you even when you’re protected with MFA

      news.movim.eu / ArsTechnica · Tuesday, 12 July, 2022 - 22:58 · 1 minute

    Ongoing phishing campaign can hack you even when you’re protected with MFA

    Enlarge (credit: Getty Images)

    On Tuesday, Microsoft detailed an ongoing large-scale phishing campaign that can hijack user accounts when they're protected with multi-factor authentication measures designed to prevent such takeovers. The threat actors behind the operation, who have targeted 10,000 organizations since September, have used their covert access to victim email accounts to trick employees into sending the hackers money.

    Multi-factor authentication—also known as two-factor authentication, MFA, or 2FA—is the gold standard for account security. It requires the account user to prove their identity in the form of something they own or control (a physical security key, a fingerprint, or face or retina scan) in addition to something they know (their password). As the growing use of MFA has stymied account-takeover campaigns, attackers have found ways to strike back.

    The adversary in the middle

    Microsoft observed a campaign that inserted an attacker-controlled proxy site between the account users and the work server they attempted to log into. When the user entered a password into the proxy site, the proxy site sent it to the real server and then relayed the real server's response back to the user. Once the authentication was completed, the threat actor stole the session cookie the legitimate site sent, so the user doesn't need to be reauthenticated at every new page visited. The campaign began with a phishing email with an HTML attachment leading to the proxy server.

    Read 7 remaining paragraphs | Comments

    index?i=gNZm6hunJCY:hq0wnfhkGv0:V_sGLiPBpWU index?i=gNZm6hunJCY:hq0wnfhkGv0:F7zBnMyn0Lo index?d=qj6IDK7rITs index?d=yIl2AUoC8zA