订阅

多平台阅读

微信订阅

杂志

申请纸刊赠阅

订阅每日电邮

移动应用

商业 - 科技

网络惊现新型钓鱼技术,可通过双重验证

Alyssa Newcomb 2019年06月11日

安全专家已经证实,某种自动化的钓鱼攻击可以穿透这层被称作2FA的额外防护,它可能会欺骗没有疑心的用户,让他们共享自己的私有凭据。

双重验证是一种要求用户输入发送到他们手机或邮件中的验证码的额外安全防护步骤,历来被用于防止钓鱼攻击获取用户名和密码。

然而,安全专家已经证实,某种自动化的钓鱼攻击可以穿透这层被称作2FA的额外防护,它可能会欺骗没有疑心的用户,让他们共享自己的私有凭据。

这种攻击最早在上个月阿姆斯特丹举办的Hack in the Box安全大会上得到了证实。6月2日,一段演示的视频发布在YouTube上,再次引起了人们的关注:尽管有了2FA等更加强大的安全工具,但黑客在突破额外安全防护屏障上也变得更加娴熟。

黑客会协同使用Muraena和NecroBrowser,实现攻击的自动化。这两项工具就像完美的犯罪二人组。你可以把Muraena看作是聪明的银行抢劫者,而NecroBrowser则是负责犯罪后逃跑的司机。

Muraena会截获用户和目标网站之间的流量,充当受害者与合法网站之间的代理。一旦Muraena让受害人访问形似真正登录页面的假冒网站,就会让他们和往常一样输入登录凭证和2FA验证码。确认了会话cookie的真实性后,它就会将数据传输给NecroBrowser,后者可以建立窗口,追踪数万个受害者的私人账户。

开源编码网站GitHub上也发布了攻击演示,让开发者看看攻击的作用机制。

与会上展示无关的Synopsys的高级首席顾问阿米特·塞提表示,尽管针对2FA的攻击在过去就已经得到证实,但这些工具“可以让水平较低的攻击者更轻易地发动攻击”。

安全专家表示,尽管可以被黑客攻破,但2FA仍然被视为最好的安全措施,比单纯依靠用户名和强密码要好得多。

塞提表示:“当然,这并不意味着人们就不用担心了。我们现在需要更加努力地检测网络钓鱼行为。”

研究人员和塞提都表示,如果可用,通用第二因素(U2F)是一种强大的方案。U2F密钥是一种辅助性物理设备,可以插入电脑的USB接口,作为用户在输入用户名或密码后确认其身份的额外手段。

塞提还指出,如果无法采用这种方案,保持警惕有助于避免潜在的2FA钓鱼攻击,例如不要点击可疑邮件中的连接,输入凭证前检查浏览器中的网址,避免在接入公共Wi-Fi时输入敏感信息。

塞提说:“如果怀疑自己登录某网站的凭证已经被盗,请迅速修改密码,并把情况报告给该网站。(财富中文网)

译者:严匡正

Two-factor authentication, the added security step that requires people enter a code sent to their phone or email, has traditionally worked to keep usernames and passwords safe from phishing attacks.

However, security experts have demonstrated an automated phishing attack that can cut through that added layer of security—also called 2FA—potentially tricking unsuspecting users into sharing their private credentials.

The attack was first demonstrated at the Hack in the Box Security Conference in Amsterdam last month. A video of the presentation was posted on YouTube on June 2, bringing renewed attention to how hackers are getting better at penetrating extra layers of security, despite people using stronger tools, like 2FA.

The hack employs two tools, called Muraena and NecroBrowser, which work in tandem to automate the attacks. The two tools work together like the perfect crime duo. Think of Muraena as the clever bank robber, and NecroBrowser as the getaway driver.

Muraena intercepts traffic between the user and the target website, acting as a proxy between the victim and a legitimate website. Once Muraena has the victim on a phony site that looks like a real login page, users will be asked to enter their login credentials, and 2FA code, as usual. Once the Muraena authenticates the session’s cookie, it is then passed along to NecroBrowser, which can create windows to keep track of the private accounts of tens of thousands of victims.

A demonstration of the attack was also released on GitHub, an open source coding site, to provide developers an opportunity to see how it works.

Amit Sethi, senior principal consultant at Synopsys, who was not affiliated with the presentation, says that while attacks against 2FA have been demonstrated in the past, these tools “make one of these attacks easier to execute for lower-skilled attackers.”

Despite this hack, 2FA is still considered a best security practice—far better than the alternative of simply relying on a username and strong password, according to security experts.

“Of course this does not mean that people should not worry,” says Sethi. “We now need to be even more diligent about detecting phishing attempts.”

The researchers, and Sethi, both say that universal second factor is a strong solution, when available. A U2F key is a secondary, physical device that can be plugged into a computer port as an additional way of verifying a person’s identity after they enter their username or password.

If that’s not an option, Sethi also says being vigilant can help thwart potential 2FA phishing attacks. That includes not clicking on links in suspicious emails, checking the a web address in the browser before entering credentials, and avoiding entering sensitive information when using public Wi-Fi.

“If you suspect that your credentials for a website have been compromised, act quickly to change your password, and report the event to the website,” says Sethi.

我来点评

  最新文章

最新文章:

500强情报中心

财富专栏