Writing after a long gap. We were engaged with Black Hat, DEFCON 28 & Blockchain Village 2020 remotely in #SAFEMODE. This was a great experience.
In my previous blog I had mentioned that in-mobile phishing apps stealing credentials are getting mainstream. Two weeks ago the media around the world was raked with the news of a new family of malware – Black Rock, stealing credentials from a wide variety of applications, not limited to the Banking sector only.
2FA Evading Malware Pedigree
We list families of Malware which are not only stealing passwords but also evading the conventional 2FA (Two Factor Authentication).
|Malware Framework||Target Application||Target Attribute||Impact||More Reference|
|Black Rock||App Related to Finance/ Banking Apps||send, spam and steal SMS messages, inserts keyloggers||Can steal otps and passwords||Threat Fabric|
|EventBot||Banking, pPayment, money transfer, Cryptocurrency Wallets||SMS, 2FA code/OTPs, *TAN codes||Compromise of Banking application. Finance||Cybereason|
|TrickMo/TrickBot||Transactional Apps||Transaction Authorization Codes||Can be responsible for financial loss or can lead to unwanted transactions||IBM X-Force|
|Loki Bot||App Related to Finance/ Banking Apps||send, spam and steal SMS messages, inserts keyloggers||Can steal otps and passwords||Threatfabric|
|Ryuk||Initially to Email apps and then to Whole Machine/PC||System files||Inserts payloads and affects your system and asks for ransom||Duo Security|
|Cerberus||Google Authenticator App||2FA Codes||Compromise of any platform associated with Google authenticator|
There are various malwares which are detected every month with different functions, These 2FA Evading Malwares are challenging organizations no matter if you add an extra factor on top of your passwords you are still vulnerable.
Cerberus Malware is in fact targeting Google Authenticator and compromising the class of apps relying on it.
SMS based OTPS are being phased out since 2017, due to an increase in SIM swapping attacks and industry started moving on TAN based authentication. PushTAN being the most popular. In this writeup we have seen that mobile app based trojans are stealing the temporary tokens rather than swapping SIM.
2FA fails to protect spare/phishing attacks
When it comes to protection against phishing or spear-phishing attacks targeting credentials, 2FA becomes irrelevant. Our founder Ajit Hatti in an interview with Mike Scialom discussed the spare phishing attacks racking UK politics.
PureID authentication system design is resistant to such malware as authentication happens using PKI and no credentials are involved.
Here is a demo video on how PureID can be useful for login without passwords more securely making sure no such malwares can do attacks like phishing, credential stealing or bypassing 2FA.
Time and again it has been proven that enterprises opting for 2FA for securing passwords end up increasing cost for enterprises, complexity for administrators, inconvenience for users and authentication remains insecure.