04-18-2019, 08:53 AM
(04-17-2019, 12:07 AM)QMark Wrote:(04-11-2019, 08:57 AM)Insider Wrote: You can phish your way past 2-factor authorization.
1. Set up phising page for victim. Looks like google with 2fa. But it's fake.
2. Victim gets real (we login to real page as victim in real time) 2fa code from SMS/authy, enter it into phising page.
3. We get the two 2fa code, enter it into the real page. Log in.
Victim <-> Fake 2fa <-> Real 2fa.
Taken out of the iranian apt hackers handbook. From their charming kitten campaign. https://threatpost.com/charming-kitten-i...fa/139979/
Not feasable for a large scale, but could be good for more targeted attacks.
But doesn't 2fa mean that the code is restarting every 30 seconds typically? Like don't most apps like authy require you to log into 2fa using a 6 digit pin that changes every 30 seconds?
Not always, but if it's the case you have to do it in real time.