Skip to main content

Just When You Thought It Was Safe, CyberJerks Are Phishing Again

Since late last year, I've been reading about something called "authentication in the middle," and it's starting to get more attention. Cybercriminals have been intercepting login information in real time, even when a person uses multi-factor authentication (MFA) to log into a website. Is nothing sacred anymore?! 

Just When You Thought It Was Safe, CyberJerks Are Phishing Again

This MFA interception is different from other types of interception, like when somebody hacks the Wi-Fi at the coffee shop and grabs your banking information while you're trying to pay your online bill, sipping a cappuccino.

Understanding Multi-Factor Authentication (MFA)

Most people are familiar with multi-factor authentication (MFA). Many websites and applications now require MFA as a standard, which significantly increases the difficulty for hackers to breach a person's account. However, as security measures advance, so do the hackers who are constantly on the prowl for fresh methods to deceive us. This "authentication in the middle" or "real-time interception" is accomplished by creating fake versions of common or popular websites.

How "Authentication in the Middle" Works

The Bait: In an authentication in the middle attack, a user is tricked into visiting a phishing website that mimics a real site like a bank, email provider, or social media platform. When the user logs in, their credentials are immediately sent to the attackers and simultaneously forwarded to the authentic site. The legitimate site then sends an MFA request to the user, who unwittingly provides the one-time code to the hackers. With this information, the attackers can complete the login at the real site using the stolen credentials.

The Consequences of Phishing

Once the criminals gain access to an account, they can begin altering its details, such as the email address and password, rendering the user unable to log in. It’s disturbing how suspicious a person has to be today, even when trying to log into a familiar website. These phishing websites can also appear in sponsored search results, making it even more challenging.

Safeguards Against "Authentication in the Middle" Attacks

Until the good guys can find a solution, here are some quick safeguards to protect against "authentication in the middle" attacks:

  • Don't take sponsored search results at face value. If something looks fishy, check the links. Make sure the website URL is accurate and not slightly misspelled, such as "Amaz0n" instead of "Amazon", or .net instead of .com.

  • Stay alert, and pass it on. Understanding and sharing new tactics of scammers is crucial for dodging new tricks.

  • Try passkeys. Passkeys involve a more complex yet streamlined authentication process and replace traditional passwords by providing a more secure login method, whereas MFA adds an extra layer of security to existing password-based systems. If you can, check out and use a FIDO2-compliant hardware key as your second factor. 2FA that relies on a FIDO2 device can’t be phished... yet.

Staying informed and sharing information, people can better protect themselves from these sophisticated phishing schemes.

Labels:

Comments

Post a Comment

Popular posts from this blog

AI and Cybersecurity: A Powerhouse Duo for Small Businesses

Small businesses face complex and expensive cybersecurity challenges, but AI is being used to simplify defenses, making cybersecurity protection more affordable for small companies.  Read on to discover how embracing AI can work to secure your digital assets and improve your data care. Cybersecurity can feel like a complex beast, especially for small businesses.  Between technical jargon and ever-evolving threats, it's tough to know where to start.  But there is good news: Artificial intelligence (AI) is entering the scene, offering powerful tools to simplify and strengthen your efforts. Think of AI as a super-smart security guard.  It's constantly scanning, analyzing, and learning, keeping you one step ahead of the bad guys. Here's how AI can be your cybersecurity hero:
Post a Comment
Read more

China Actively Preparing Cyber Threats: US Grapples with Balancing Security and Privacy Concerns

I recently watched the January 2024 House hearing entitled "The CCP Cyber Threat to the American Homeland and National Security". It highlighted the growing concern over China's aggressive cyber activities that have plagued our technical infrastructure for decades.   U.S. Cyber Command Commander General Paul Nakasone, FBI Director Christopher Wray, National Cyber Director Harry Coker, CISA Director Jen Easterly, and Rep. Mike Gallagher (R-WI). I was locked into what Jen Easterly, the Director for the Cybersecurity and Infrastructure Security Agency (CISA) was saying throughout the hearing.  She emerged as a key voice, emphasizing the need for a shift in perspective against China and their active pursuit of cyber threats toward the U.S.
Post a Comment
Read more

Humans: The Achilles' Heel of Cybersecurity. Better Passwords For Your Data Care.

When I’m not researching and writing about cybersecurity, I have a normal day job working in the development department for a nonprofit organization where, just yesterday, I found three cybersecurity alerts in my Outlook email. “You must change your password…”; “We had a phishing incident…”; “Our IT company has initiated MFA…”. It was a lovely way to begin my morning. I was puzzled that someone in our mid-sized company was tricked into clicking a malicious email link. How could this happen? Doesn’t everyone realize what phishing emails look like? The improper English; fake links, the sense of urgency? Apparently, not… H umans are still the weakest link in any data care plan. I sometimes feel that costly cybersecurity tools are more about protecting companies from their own employees than external threats. Businesses should elevate employee education, awareness, and periodic trainings to strengthen data care and minimize human error. I have some inexpensive ideas I often share with busi...
Post a Comment
Read more