- Security researchers unlocked a phishing attack capable of sidestepping two-factor authentication (2FA), according to a YouTube video from Hack in the Box Security Conference last Month, reports Fortune.
- Attacks are automated using a combination of Muraena and NecroBrowser. Muraena works as a proxy between the target individual and the website they're attempting to access. The mechanism effectively hijacks the flow of traffic, leading the user to a fake login page similar to the authentic one.
- From there, Muraena hands the reins to NecroBrowser where it tracks the private accounts of its victims. The revelation of the attack will make it easier for low-level hackers to carry out attacks, according to Fortune.
Two-factor authentication has long been touted as a necessary roadblock for bad actors until now. Still, multifactor authentication stands as better security than strong usernames and passwords alone.
The industry for 2FA and multifactor authentication has been around for about two decades, with companies like Cisco breaking into it. Cisco announced plans to acquire Duo Security, though its capabilities have largely stayed in the realm of physical keys, smartphones and other underlying applications for authentication.
Last year Microsoft announced a security service for the Azure Sphere, an end-to-end IoT solution for cybersecurity. The service defends devices that have certificate-based authentication, automatically responding to detected threats in a system. It also gives users a security score produced through simulated phishing attacks so the company can focus on employees most susceptible to a scam.
Google uses physical security keys internally for its employees to avoid phishing schemes. The keys are USB devices in place of 2FA and since its introduction in 2017, the company has experienced no account takeovers.
Google's security keys allow Googlers to login into applications and portals without a password, avoiding the factor that allows the Muraena/NecroBrowser attack to work. Shelling out for physical security tools isn't a realistic answer for all companies, though biometrics and behavioral insights are becoming a favorable addition to security protocols.