Phishing U2F-Protected Accounts
Nikita Mazurov
Kenny Brown
BSides Tampa 2019
Abstract: We present a novel approach for compromising U2F-protected accounts via targeted spearphishing attacks. Neither existing phishing simulation toolkits, nor phishing awareness training modules cover the particular attack vector to be discussed during the presentation, leaving users unprepared to face this particular kind of phishing attack, with the standard thinking being that U2F accounts, seeing as they requiring hardware-based authentication, are 'phish proof'--a dangerous assumption that can be harmful in causing users to lower their guard against phishing attacks. Following a general exposition of current 2FA measures, we describe a detailed attack workflow in which a hypothetical high-value, security-conscious target who has not just 2FA but U2F enabled on their account is the victim of account-compromising spearphishing using our novel attack methodology. Aside from the novel target exploitation mechanism to bypass U2F authentication requirements, the attack vector also leverages new top level domain names, HTTPS, and a back-end server hosted as a Tor hidden service which is then broadcast over the clearweb, alongside a final decoy payload with the final outcome being that the phishing page is both convincing and not readily traceable.
Bio: Nikita Mazurov, PhD, is a researcher focusing on privacy issues revolving around data archival. Kenneth Brown (CISSP, PMP) is a Federal Program Manager at VMware, USA. Having transitioned from a Senior Consultant Role working with DoD customers, Kenny is currently managing a large federal healthcare program.
If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.
Copyright 2020, IronGeek