[WEB SECURITY] Phishing attacks circumventing two-factor auth

Josh L. Perrymon joshuaperrymon at gmail.com
Tue Jul 11 00:24:43 EDT 2006


We do this type of directed phishing attack all the time for our
global clients. Instead of having an automated MITM we have scripts
that alert us when a user visits the site and we login to the real
site once we recieve the first token code. Then wait as the user
submits the second code and your in..

The only protection mechanism that helped out was digital client
certs. But we still got into citrix and performed a local priv
escalation essentially controlling the internal domain. So 2 factor
authentication isn't enough. Or in my mind. 2Factor auth doesn't
protect a user much more than static passwords.

It's all about userAwareness and Incident Response.

J. Perrymon
CEO PacketFocus
www.packetfocus.com



On 7/11/06, Brian Eaton <eaton.lists at gmail.com> wrote:
> On 7/10/06, dpw <dainw at fsr.com> wrote:
> > however... the article does state that the MiTM form *posted* into the
> > citibank application to authenticate the second factor.
> >
> > This is the part that I was responding to - regardless of the phishing lure
> > the user saw - the form shouldn't have been able to post back into the
> > citibank authentication system successfully. It should have been DOA trying
> > something like that.
>
> Now you've got me wondering.  The article says,
>
> "That's because this site acts as the "man in the middle" -- it
> submits data provided by the user to the actual Citibusiness login
> site."
>
> That could mean either that the web page was submitting directly to
> citibank, or that the web page submitted to the spoofed site which
> then forwarded the submission.  One of the "features" of this phishing
> site was that it could distinguish between legitimate business codes
> and faked ones, which makes me think this was MITM.
>
> Regards,
> Brian
>
> ----------------------------------------------------------------------------
> The Web Security Mailing List:
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>

----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list