Security & Fraud

Security Experts Warn About New Scam That Bypasses 2FA

Security experts are warning about a phishing scam that can help hackers bypass two-factor authentication (2FA).

The attack was demonstrated for the first time at the Hack in the Box Security Conference in Amsterdam last month, according to Fortune. It showed how the scam uses two new tools, Muraena and NecroBrowser, to potentially trick users into sharing their private credentials.

Here’s how it works: Muraena intercepts traffic between the user and the target website. Once it has the victim on the fraudulent site, the user is asked to enter their login credentials, as well as their 2FA code. Once Muraena authenticates the session’s cookie, it is passed to NecroBrowser, which can create windows to keep track of the private accounts of tens of thousands of victims.

Amit Sethi, a senior principal consultant at Synopsys who was not a part of the presentation, said these tools “make one of these attacks easier to execute for lower-skilled attackers.”

Experts noted that 2FA is still the industry’s best practice to protect users against cyber threats. However, if available, universal second factor (U2F) is a stronger alternative. A U2F key is a secondary, physical device that users can plug into a computer port as an additional step in verifying a person’s identity after they enter their username or password.

If that’s not an option, Sethi recommended some guidelines that users can put into effect to protect themselves against 2FA phishing attacks. These include not clicking on links in suspicious emails, checking a web address in the browser before entering any credentials and avoiding entering sensitive information when using public Wi-Fi.

“If you suspect that your credentials for a website have been compromised, act quickly to change your password, and report the event to the website,” said Sethi.


Latest Insights: 

The Payments 2022 Study: Building A High-Performance Payments Team For Fraud Detection, a PYMNTS collaboration with Stripe, examines how digital platforms of all sectors and sizes plan to develop their anti-fraud teams as part of their their broader growth and development strategies. Drawing from an extensive survey from approximately 250 payments heads at digital platforms in the U.S. and abroad, our study analyzes how poor anti-fraud capabilities can harm platforms’ long-term growth strategies, and how they can build high-performing teams to tackle these challenges.


To Top