Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/£10.99.
As businesses and end users have become more aware of the dangers of phishing, multi-factor authentication (MFA) has become a particular focus for cybercriminals. For instance, they often try to phish SMS codes directly by following a legitimate “one-time passcode” with a spoofed message asking potential victims to “reply back with the code you just received”.
According to a new blog post from Google, attackers are also leveraging more sophisticated dynamic phishing pages to conduct relay attacks where a user thinks they’re logging into a legitimate site. However, instead of deploying a simple static phishing page that steals a user’s credentials, attackers deploy a web service that logs into the actual website at the same time that a user is falling for a phishing page.
These kinds of attacks are especially challenging to prevent as authentication challenges shown to an attacker (like a prompt for an SMS code) are also relayed to the victim. The victim’s response is then in turn relayed back to the real website and the attacker is actually using them to solve any other authentication challenges that may arise.
While security keys like Google’s own Titan Security Key can prevent phishing by verifying the identity of the website users are logging into, not everyone wants to carry around an additional physical device to log into all of their online accounts.
This is why Google is building this same functionality into Android smartphones and iPhones. Unlike physical FIDO security keys that need to be connected via USB, the search giant uses Bluetooth to ensure a user’s smartphone is close to the device they’re logging into. This also helps prevent “person in the middle” attacks that can still work with SMS codes or Google Prompts.
At the same time, Google has also been working to make its traditional Google Prompt challenges more phishing resistant by asking users to match a PIN code with what they’re seeing on screen in addition to clicking “allow” or “deny”. The company has even begun experimenting with more involved challenges for higher-risk situations when it sees users logging in from a computer that might belong to a phisher or asking users to join the same Wi-Fi network on their phone as the computer they’re logging in from.
With these new phishing protections in place and the right training, both employees and consumers can avoid having their credentials and online accounts stolen.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.