How to REALLY not get hacked even with Multi-Factor Authentication (MFA)

If you are a business owner or GM and are in any way up-to-date with current security practices, then you know all about Multi-Factor Authentication (MFA) also known as Two-Factor Authentication (2FA).  Banks can’t even legally let you log into their web portal without using some form of MFA, which is why you get a text message or email with a special one-time-use code to be able to do online banking.  This is such a HUGE DEAL for online security that even free services, like gmail email and yahoo email, offer 2fa at no charge.  So the important question is this:  If your business has MFA enabled on all of your online services, should you do anything else or are you totally safe?  The answer may surprise you.

If you are like us, then you have MFA enabled on any and everything.  This means you are being a responsible administrator! THANK YOU for not enabling hackers by setting your business up to pay them for their dirty-work!  

However, I recently learned of how even with MFA, your business can be totally hacked and held for ransom.  Below, I’ll outline (1) how this works and (2) the steps to prevent it.*  

*This solution ASSUMES that you already have MFA enabled on your online services.  If you do not have MFA enabled then OH MY GOODNESS DO THIS BEFORE ANYTHING ELSE IN THE WORLD!  

The 1st way an attacker will get around your fancy MFA:

• Send a fake email to a user that looks EXACTLY like a real email. Below you will see an email from Google. (There is no way to know if this is real or fake without inspecting the link and seeing if it points to a real google-owned site. This email could just as easily be an example from your bank.)

• The email asks the user click a link just like the example above does.
• This link takes the users to a page that looks EXACTLY like the page they were expecting.  See below.
  

• This site prompts you to “verify” just like the real site would.  The difference is that it sends your temporary MFA code to the attacker so that they are able to log in as if they were you!  This fake site then directs you to the real site so you don’t even know you were hacked.  GENIUS! … and evil.
• Someone else has just logged into your account with your MFA code and you have no clue!
• Did anyone notice that in the screenshot above it was not a google site?  If you did, you get a hi-5!
  

• 
  * If this was a legit google site, the URL would be “accounts.google.com”.  NOT “accounts.gougle.com”

‍

The 2nd way an attacker will bypass your fancy MFA:

• Your computer gets hacked
• Hacker kills your antivirus software
• Hacker installs monitoring software
• You log into your bank
• Your bank sends you a MFA txt
• You finish logging in and do your online banking
• The attacker, who already has control of your computer has access to everything you have access to

How to stop these two MFA bypass tricks:

Email Scam Method Solutions (any or all of the blow solutions will help you!)

• Educate users to never click links in email.  Instead, just go to the trusted website and login there directly.
• Use a service to send fake phishing emails to users… if they take the bait they need more training.  Continue to send fake phishing emails periodically so you know if any one staff member is having issues dealing with bad emails.
• Get a monitored content filter to reduce the chance that the fake link will be clickable to begin with!
• Use an email Cybersecurity solution to closely monitor email for phishing emails like the one described above.

Computer Hack Method Solutions (any or all of the below solutions will help you!)

• Get monitored antivirus so your IT team knows if your AV has been killed or if it detects something bad.
• Get a monitored network so your IT team can see if any computer is reaching out to bad locations.
• Use a workstation and/or network Cybersecurity solution to monitor and correlate workstation and network logs to find sophisticated threats lurking on computers and networks.

‍

Where to get these solutions?

Everything mentioned above is what we at QuickFix can do for our business and residential clients.  If you want to discuss the specifics of your business with us to see what type of solution is best for you.  We are always happy to help!

Stay safe out there!

-Bryant

‍

‍