Security experts are warning about a phishing scam that can help hackers bypass two-factor authentication (2FA).
The attack was demonstrated for the first time at the Hack in the Box Security Conference in Amsterdam last month, according to Fortune. It showed how the scam uses two new tools, Muraena and NecroBrowser, to potentially trick users into sharing their private credentials.
Here’s how it works: Muraena intercepts traffic between the user and the target website. Once it has the victim on the fraudulent site, the user is asked to enter their login credentials, as well as their 2FA code. Once Muraena authenticates the session’s cookie, it is passed to NecroBrowser, which can create windows to keep track of the private accounts of tens of thousands of victims.
Amit Sethi, a senior principal consultant at Synopsys who was not a part of the presentation, said these tools “make one of these attacks easier to execute for lower-skilled attackers.”
Experts noted that 2FA is still the industry’s best practice to protect users against cyber threats. However, if available, universal second factor (U2F) is a stronger alternative. A U2F key is a secondary, physical device that users can plug into a computer port as an additional step in verifying a person’s identity after they enter their username or password.
If that’s not an option, Sethi recommended some guidelines that users can put into effect to protect themselves against 2FA phishing attacks. These include not clicking on links in suspicious emails, checking a web address in the browser before entering any credentials and avoiding entering sensitive information when using public Wi-Fi.
“If you suspect that your credentials for a website have been compromised, act quickly to change your password, and report the event to the website,” said Sethi.