[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Phishing attacks circumventing two-factor auth

From: "Josh L. Perrymon" <joshuaperrymon@xxxxxxxxx>
Subject: Re: [WEB SECURITY] Phishing attacks circumventing two-factor auth
Date: Tue, 11 Jul 2006 14:24:43 +1000

We do this type of directed phishing attack all the time for our
global clients. Instead of having an automated MITM we have scripts
that alert us when a user visits the site and we login to the real
site once we recieve the first token code. Then wait as the user
submits the second code and your in..

The only protection mechanism that helped out was digital client
certs. But we still got into citrix and performed a local priv
escalation essentially controlling the internal domain. So 2 factor
authentication isn't enough. Or in my mind. 2Factor auth doesn't
protect a user much more than static passwords.

It's all about userAwareness and Incident Response.

J. Perrymon
CEO PacketFocus
www.packetfocus.com

On 7/11/06, Brian Eaton <eaton.lists@xxxxxxxxx> wrote:

On 7/10/06, dpw <dainw@xxxxxxx> wrote:
> however... the article does state that the MiTM form *posted* into the
> citibank application to authenticate the second factor.
>
> This is the part that I was responding to - regardless of the phishing lure
> the user saw - the form shouldn't have been able to post back into the
> citibank authentication system successfully. It should have been DOA trying
> something like that.

Now you've got me wondering.  The article says,

"That's because this site acts as the "man in the middle" -- it
submits data provided by the user to the actual Citibusiness login
site."

That could mean either that the web page was submitting directly to
citibank, or that the web page submitted to the spoofed site which
then forwarded the submission.  One of the "features" of this phishing
site was that it could distinguish between legitimate business codes
and faked ones, which makes me think this was MITM.

Regards,
Brian

----------------------------------------------------------------------------
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

---------------------------------------------------------------------------- The Web Security Mailing List: http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/ http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Follow-Ups:
- Re: [WEB SECURITY] Phishing attacks circumventing two-factor auth
  - From: Nick Owen

References:
- Re: [WEB SECURITY] Phishing attacks circumventing two-factor auth
  - From: Brian Eaton
- RE: [WEB SECURITY] Phishing attacks circumventing two-factor auth
  - From: dpw
- Re: [WEB SECURITY] Phishing attacks circumventing two-factor auth
  - From: Brian Eaton

Prev by Date: Re: [WEB SECURITY] Phishing attacks circumventing two-factor auth
Next by Date: [WEB SECURITY] RE: [Full-disclosure] Re: [WEB SECURITY] Cross Site Scripting in Google
Previous by thread: Re: [WEB SECURITY] Phishing attacks circumventing two-factor auth
Next by thread: Re: [WEB SECURITY] Phishing attacks circumventing two-factor auth
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site