As businesses and end users have become more aware of the dangers of phishing, multi-factor authentication (MFA) has become a particular focus for cybercriminals. For instance, they often try to phish SMS codes directly by following a legitimate “one-time passcode” with a spoofed message asking potential victims to “reply back with the code you just received”.
According to a new blog post from Google, attackers are also leveraging more sophisticated dynamic phishing pages to conduct relay attacks where a user thinks they’re logging into a legitimate site. However, instead of deploying a simple static phishing page that steals a user’s credentials, attackers deploy a web service that logs into the actual website at the same time that a user is falling for a phishing page.
These kinds of attacks are especially challenging to prevent as authentication challenges shown to an attacker (like a prompt for an SMS code) are also relayed to the victim. The victim’s response is then in turn relayed back to the real website and the attacker is actually using them to solve any other authentication challenges that may arise.
While security keys like Google’s own Titan Security Key can prevent phishing by verifying the identity of the website users are logging into, not everyone wants to carry around an additional physical device to log into all of their online accounts.
This is why Google is building this same functionality into Android smartphones and iPhones. Unlike physical FIDO security keys that need to be connected via USB, the search giant uses Bluetooth to ensure a user’s smartphone is close to the device they’re logging into. This also helps prevent “person in the middle” attacks that can still work with SMS codes or Google Prompts.
At the same time, Google has also been working to make its traditional Google Prompt challenges more phishing resistant by asking users to match a PIN code with what they’re seeing on screen in addition to clicking “allow” or “deny”. The company has even begun experimenting with more involved challenges for higher-risk situations when it sees users logging in from a computer that might belong to a phishing or asking users to join the same Wi-Fi network on their phone as the computer they’re logging in from.
With these new phishing protections in place and the right training, both employees and consumers can avoid having their credentials and online accounts stolen.