Sophisticated phishing attacks that clone legitimate webpages and bypass two-factor authentication (2FA) are on the rise. Email security firm Cofense reported a 35% increase in phishing emails for these types of attacks compared to last year.
How the phishing attacks work
The links in these phishing emails direct victims to fraudulent sites that act as intermediaries between the victim and the real site. By acting as a go-between, a phishing site can clone the pages from the legitimate one, making it almost impossible to figure out it’s a fake.
From the victim’s point of view, the login process on the fraudulent site proceeds as usual, even if they use 2FA. The only exception is if the victim uses a security key for their 2FA. That’s because a security key should realize the site is a fake and refuse to authenticate the login.
Once authenticated, the legitimate website sends the victim what’s known as a session token. This allows the user to stay logged in while visiting different pages on the site. But as the phishing site is acting as an intermediary, the cybercriminals get the session token, too.
When they visit the real site with the victim’s session token, it thinks they are logged in as the victim. This means criminals are given access to the victim’s account without being asked for their password or second factor.
According to Cofense, these sophisticated attacks overwhelmingly targeted businesses using Office 365. Cybercriminals used them to hack into Outlook and Amazon accounts, too, but to a far less extent.
Detecting a phishing site
Fortunately, Cofense says there are two ways to tell if you’re on a phishing site instead of the real deal. The easiest method is to examine the site’s URL, since the phishing site’s URL will not be correct. However, the cybercriminals will probably have chosen it to look very similar to the legitimate URL, so you’ll need to look carefully.
The second way to tell is to look at the website certificate. You can find this by selecting the green padlock in your browser, clicking on “your connection is secure,” and then clicking on the certificate information. If you’re on a phishing site, the name that appears in the Common Name field will have “nothing to do with” the legitimate site, Cofense says.
Sophisticated phishing attacks can be incredibly convincing. To avoid them, avoid clicking links in emails when you can. But if you do click a link, make sure you triple check the URL before you enter any credentials. You can check the certificate, too, to be extra safe.