KnowBe4 Chief Hacking Officer Kevin Mitnick has demonstrated a proof-of-concept attack that uses social engineering and fake domain names to bypass two-factor authentication security, a disturbing turn of events for a commonly used form of security.

The attack targets accounts with a phishing attack, which attempts to trick users into clicking on a website address designed to be similar to a legitimate address. In the PoC, that could be “llnked.com,” as opposed to LinkedIn.com, a misspelling that people may overlook.

In terms of hijacking accounts, so far that’s nothing that hasn’t been seen before, but then Mitnick threw in the 2FA twist. In this case, although connecting via the malicious website, users are directed to the official site with code sitting behind it. When users enter their username, password and 2fa code, the session cookie itself, not the data itself, is intercepted.

“This is not the actual six-digit code that was intercepted, because you can’t use the six-digit code again,” Mitnick explains. “What we were able to do was intercept the session cookie” that, when used, means that the attacker enters the session key into the browser to make the given site believe that it’s the legitimate user.

Zack Allen, manager of threat operations at ZeroFOX Inc., told SiliconANGLE that the demonstration shows how easy it is to spoof 2FA requests by sending a user to a phishing webpage.

“Once victims click and enter their account credentials and 2FA code, they are redirected to a URL specified by the HTTP request parameter,” Allen said. “This parameter encodes a cookie that saves the fake domain in the victim’s browser so that they are redirected to the fake domain whenever they click the phishing link. Using this trick, the attacker can not only acquire the victim’s username and password but also their cookies, which can be used to take full control of the victim’s session and bypass 2FA.”

Emphasizing just how serious the issue is, Allen said the attack demonstrates that multifactor authentication has inherent weaknesses. “A more reliable 2FA approach includes push notifications via the authentication app itself as well as ‘what-you-have’ hardware devices like a Yubikey,” he added.

Both business and individuals alike, even with 2FA in place, need to be wary of the security implications of networks and must be educated on the possible risks, Allen warned.

“2FA is an excellent first step in ensuring that accounts are not hijacked, but as demonstrated in this example, attacks like phishing, social engineering, and spoofing still have serious consequences,” he said. “People and businesses alike need to look to more comprehensive education- and technology-based solutions for staying safe online.”

Photo: Brian Ronald/Wikimedia Commons