A look at Sneaky2FA: Sneaky2FA operates through a full-featured bot on Telegram, says the report. Customers reportedly receive access to a licensed, obfuscated version of the source code and deploy it independently. This means they can customize it to their needs. On the other hand, the report notes, Sneaky2FA implementations can be reliably profiled and tracked due to the codebase similarities.Sneaky2FA has been frequently seen using anti-analysis techniques to detect or disable browser developer tools so they can block attempts to analyze the page for malicious content, the report adds.Defenders should note that the HTML and JavaScript of Sneaky2FA pages are heavily obfuscated to evade static detection and pattern-matching, the report says. This includes using tactics such as breaking up UI text with invisible tags, embedding background and interface elements as encoded images instead of text, and other changes that are invisible to the user, but make it hard for scanning tools to fingerprint the page.Campaigns are also known to use a ‘burn-and-replace’ tactic, hiding behind a fresh, long, randomized URL that lies dormant or serves harmless content until right before the attack, and then quickly vanishes. This is to defeat domain reputation or pattern-matching defense technologies.
A game of cat and mouse: Dan Green, author of the Push Security report, told CSO in an email that email isn’t the only way BITB attacks are spreading. In the past several months, his firm has seen LinkedIn Messenger and Google Search being used as well.”We would encourage security teams to re-evaluate how they approach phishing detection,” he said. “[Phishing] is becoming increasingly sophisticated, it’s no longer just an email problem, and the risks are significant. A compromised enterprise cloud account (for example, Microsoft or Google Workspace) is effectively the key to everything you access in the course of the modern workday. This isn’t just the direct access to your enterprise cloud suite, but the downstream application access via SSO (single sign-on) that can be hijacked by the attacker. Most breaches start with compromised identities today, compared with software exploits or malware execution.”Roger Grimes, data driven defense CISO advisor at security awareness training provider KnowBe4, noted that browser vendors have worked for decades trying to prevent malicious popup boxes from appearing because they are so tricky. However, he added, criminals keep on figuring out ways to bypass the protections.On the other hand, he added, it is getting ever harder for criminals to create malicious popup boxes. Users still have a chance to see what is happening if they are aware, he said. “Sadly,” he said, “a large percentage of users don’t.”Educating users by providing information and examples of how browser pop-up attacks work is key, he said. In addition, CSOs should make sure browsers used by employees are as well configured as they can be to prevent these types of attacks.”Browser vendors will respond and close the holes, but it’s always a reactive game of cat-and-mouse with the defenders always behind.” he said. “Pretty soon AI-enabled defense tools will do a better job at preventing them from happening at all. We just have to cover the gap for now.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4094165/sneaky2fa-phishing-tool-adds-ability-to-insert-legit-looking-urls.html
