Phishing Attacks Can Now Bypass Multi-Factor Authentication
The healthcare industry has been steadily moving towards consumerization. It means that, as the industry moves towards value-based care and patients demand easier access to their data, cyber threats are also increasing. With greater patient access such as telemedicine, mobile, patient portals, and remote platforms, the threat surface has also increased.
To decrease this threat, two-factor or multi-factor authentication (2FA), was introduced. A 2FA is a method of confirming a user's identity by using a combination of two different factors. One such example is when a person wants to withdraw money from an ATM by using a combination of their bank card and PIN. Similar is the use of a password and generated code.
Nevertheless, a security researcher has recently released a hacking tool that can automate phishing attacks and break through multi-factor authentication with relative ease.
What Does This Hacking Tool Look Like?
Developed by Piotr Duszynski, Modlishka is a reverse proxy tool designed to handle traffic from both login pages and phishing attacks. The device is launched between the user and the target website, where the user is connected to the Modlishka server through a phishing domain.
Traditionally, phishing campaigns are disguised to resemble the target website as close as possible. It can include sent emails that look nearly identical to the corporate address. But with Modlishka, users are brought through all the legitimate site passes, where it records their information.
What this means is that all passwords and credentials inputted by the user will automatically record into the hacking tool's backend. At the same time, the tool will request users to enter their two-factor authentication. If the hacker monitors and collects this information in real-time, they can use it to log into the system and the victim's account. All that hackers need to leverage this tool is a phishing domain to host the server and a valid TLS certificate.
In his blog, Duszynski said that “I hope that this software will reinforce the fact that social engineering is a serious threat, and cannot be treated lightly. So the question arises: is 2FA broken? Not at all, but with a right reverse proxy targeting your domain over an encrypted, browser trusted, communication channel one can really have serious difficulties in noticing that something is seriously wrong.”
He also went on to say that “Include lack of user awareness, and it literally means giving away your most valuable assets to your adversaries on a silver plate. At the end, even the most sophisticated security defense systems can fail if there is no sufficient user awareness and vice versa for that matter.”
How to Protect Against Modlishka
The best method to protect your organization against this threat is by using hardware two-factor authentication, based on the U2F protocol. The next step of the process should include raising awareness of the danger of reverse proxy phishing attacks among staff members and other users.
Also, a good password management solution may also be required, as they continue to be a strong defense against phishing attacks. Such a solution will not prompt you to enter your password on a domain it doesn't recognize, meaning that you won't end up giving up your credentials unless the URL is safe.
When it comes to the healthcare industry, user authentication is at the highest risk of cybercrime. And with the introduction of this new tool, as well as others that may exist, this risk is further increased.
Health organizations can reduce this risk by leveraging the right types of technologies and by supporting their employees to meet security best practices. If you need any help Managed Solution is at your service. Our specialists will determine the best solution that will fit your needs.
FBI Warns About Unprecedented Rise of Targeted Email (BEC) Scams
A new rash of socially engineered security threats are using emails to trick victims into sending money to attackers by posing as vendors, clients or anyone you might know asking for payment for an invoice via wire transfer.
The FBI has dubbed these attacks “Business Email Compromise” (BEC) scams. According to the FBI, BEC scams have been running since 2013 and have affected users from over 80 countries worldwide. In the US alone, 7,000 businesses have reported a total of $747 million in losses.
“For victims reporting a monetary loss to the IC3, the average individual loss is about $6,000,” said Ellen Oliveto, an FBI analyst assigned to the center. “The average loss to BEC victims is $130,000.”
While there are solutions to prevent such emails from reaching your company, they’re not 100% foolproof. For this reason, use the below recommendations to ensure your company does not fall victim to this crime.
Here are some recommendations:
Ensure employees within the company are aware of these targeted attacks as well as your organization’s processes for dealing with and paying approved vendors. The BEC scam has seen an unprecedented rise since the beginning of 2015, increasing 270%.
“They have excellent tradecraft, and they do their homework. They use language specific to the company they are targeting, along with dollar amounts that lend legitimacy to the fraud. The days of these emails having horrible grammar and being easily identified are largely behind us,” says the FBI.
In some cases, scammers have even used malware to steal account credentials and gain access to private company information to use within their communication increasing the legitimacy of their requests and averting suspicion. For example, they may send emails that appear to come from a colleague, typically within the accounting department, a vendor or supplier asking victims to complete a wire payment transaction to settle an invoice.
Lastly, social engineering attacks are not limited to email. We have documented cases of phishing attacks over the phone with both automated systems and real people on the line asking for account numbers!
Transactions and conversations often take place over email, so using a solid, secure business email solution, like MS Exchange Server or Office 365, is a great first step. In addition, using a multi-factor authentication system and enabling standard email authentication, such as a sender policy framework (SPF), which most mail servers support, will help protect your email environment.
Anti-spam systems are not just for “junk” mail. Most spam solutions use real-time attack information and other dynamic, intelligent systems to identify and quarantine possible threats, such as BEC attacks.
In addition, consider implementing outbound email filtering to prevent sensitive financial information, such as bank account numbers, from being sent outside of the company.
Establish a system of checks and balances that enable employees to authenticate and validate payable requests. Things such as requiring multiple approvals for wire transfers, stricter controls over changes in vendor or supplier payment details, and using additional forms of verification (such as voice calls or physical documentation) will help ensure that you are conducting a legitimate transaction.
The FBI’s Advice
1.Verify changes in vendor payment location and confirm requests for transfer of funds.
2.Be wary of free, web-based e-mail accounts, which are more susceptible to being hacked.
3.Be careful when posting financial and personnel information to social media and company websites.
4.Regarding wire transfer payments, be suspicious of requests for secrecy or pressure to take action quickly.
5.Consider financial security procedures that include a two-step verification process for wire transfer payments.
6.Create intrusion detection system rules that flag e-mails with extensions that are similar to company e-mail but not exactly the same. For example, .co instead of .com.
7.If possible, register all Internet domains that are slightly different than the actual company domain.
8.Know the habits of your customers, including the reason, detail, and amount of payments. Beware of any significant changes. Learn more by reading the FBI’s Public Service Announcement on BEC