START FREE NOW CONTACT SALES

Mike, a senior executive had 2-factor authentication enabled on his office365 account, so the attacker needed the verification code to take over Mike’s account. So he texted Mike a fake enrollment notification. In this example, the attacker used an Employee Emergency Notification Service, however, it could have been to any other service that the company uses (That’s why we should share less about what apps we are using).

To make it look legit, the attacker gave Mike the option to click YES or NO. It made Mike feel like he was in control and significantly increased the chances that he would continue.

 

Screen Shot 2021-07-27 at 11.48.45 AM

The attacker most likely hit “forgot password” and a code was sent to Mike. In any case, Mike doesn’t suspect that the code he received is due to a login attempt or reset password, and thinks he is sharing it with an automated system.

 

Screen Shot 2021-07-27 at 11.55.39 AM

 

Screen Shot 2021-07-27 at 12.00.59 PM

Once Mike shares the code with the attacker, it’s game over and the attacker can take over Mike’s account. At the end the attacker send's Mike a message that he was successfully enrolled in order to close a loop so that Mike won't suspect that anything wrong happened.

 

Screen Shot 2021-07-27 at 11.59.38 AM

 

 

How to avoid this type of attack

1) Don't Automatically trust anyone, including Robots. In Star Wars, Droids weren’t allowed in bars because they monitor everything and can be corrupted. This is where we are today with machines. Never share security codes with anyone - including automated systems that contact you out of the blue.

2) Call and verify with your Admin, Company, or Person, the authenticity of the request.

3) It’s better to use Authenticator Apps (Such as Google or Microsoft Authenticator) or even a hardware security key instead of Text based authentication.
 
4) Share less! The more an attacker knows about you the easier it is to hack you.
 
5) Use Wizer Free Security Awareness to train your team

 

Gabriel Friedlander
Written by Gabriel Friedlander

I founded get-wizer.com in early 2019 with a mission to make basic security awareness training free for everyone. Since then Wizer has been rapidly growing with over 3000 organization who signed up for our free training. And in 2020 we partnered with several local counties to offer free Citizen Training. We believe that in this day an age, security awareness should be a basic human skill.