Quarterly Security Update: Two-Factor Authentication Exploits
Two-factor authentication is a powerful tool in the prevention of unauthorized access to email, Office 365 applications, WINGS and WINGS Express, etc. Unfortunately, hackers can trick individuals into giving away information that would allow access to all of our systems, even with 2FA in place. This is not a theory, it has happened to a few of our users here at Wright State. I’ll try to explain how this account compromise can take place and how you can protect yourself against being the victim of this type of attack.
This type of attack starts through email. A phishing email purporting to be from one of WSU’s departments, such as Payroll, is sent to multiple individuals. The user is asked to login into our payroll system using a link provided in the email. This link does not lead to any of our systems, but rather to a page which appears to be our standard authentication page. If the user were to look closely at the URL of this page pretending to be ours, they would find that the page is hosted at a ‘.com’ site rather than a ‘.edu’ site. This is the first clue something is wrong.
In this scenario the user logs in to what they think is one of Wright State’s systems. Now the hacker has the individual’s username and password. The next step is where the 2FA compromise takes place. The user is sent to a page telling them to provide a one-time pass code from the DUO mobile app. This is another clue that something is wrong. Our official DUO 2FA page offers several options on how to confirm your identity, such as a DUO Push, one-time passcode, or in some situations a phone call. On the hackers 2FA page the user has no options other than entering a one-time passcode. This should tell you this is not our 2FA page.
If the individual provides the one-time passcode, the hacker now has all they need to gain access to the user’s account. The first thing the hacker will do is log in to DUO using the stolen username, password, and one-time passcode where they add their telephone as a second method to confirm 2FA requests. The hacker now has all they need to continue to access any and all systems the user has rights to.
It’s important to pay close attention to the web pages links lead us to. Take the time to confirm you are on a WSU webpage and not a ‘.com’ page. If you’re unsure if the email is legitimate, contact the department at WSU that the email claims to be coming from. Also, whenever possible, use DUO Push as your method of confirming your identity. The DUO Push authentication method is not subject to this type of attack.
Due to the weakness of one-time passcodes we may be forced to disable this option in order to protect the WSU community from such attacks.