A new malware designed to beat 2-fa authentication

figmentofmyass

legendary

Activity: 1652

Merit: 1483

Quote from: hatshepsut93 on February 01, 2019, 09:08:43 AM

Quote from: figmentofmyass on February 01, 2019, 01:33:30 AM

sorry if this is a dumb question, but how exactly does this compromise 2FA?

all of the compromised data is browser-based (something you know, not something you have), with the exception of "stolen text messages". but old text messages shouldn't overcome SMS 2-factor authentication because those one-time codes are only good for a very limited time. and if you use TOTP-based 2FA, you should be completely safe.

can somebody walk me through this?

If found another article , and it says that stolen cookies can be used to fake the identity of victim's machine, and thus login without a 2FA check on some sites. However, there are still a lot of unexplained details, like how they avoid 2FA checks on withdrawals, how do they spoof IP address and so on.

It's an interesting topic and people who have very important online accounts, like traders, should definitely check it, so here's some links:

https://security.stackexchange.com/questions/178663/why-isnt-stealing-cookies-enough-to-authenticate

https://stackoverflow.com/questions/2498599/can-some-hacker-steal-the-cookie-from-a-user-and-login-with-that-name-on-a-web-s

thanks for the explanation. i think i get it now. it didn't occur to me that hackers were duplicating an existing session using the stolen cookies. it's still not an easy attack to pull off since the attacker needs to spoof the IP address (and other parameters) from the original session, but it's good to be aware that this can happen. it definitely makes a strong case for requiring 2FA on withdrawals (email confirmation and TOTP) in case your session gets hijacked like this.

fumblingperch

full member

Activity: 490

Merit: 100

This is terrible. No matter how we try to protect your funds, there are still new ways to hack your wallets and accounts. Now I'm even more worried about my money.

vit05

hero member

Activity: 672

Merit: 526

Quote from: Patatas on February 02, 2019, 10:29:41 AM

How can it beat the 2FA if your primary source of the Authenticator is the application downloaded in your phone? The cookies and stuff aren’t applicable here. I don’t understand why would one use browser again to store anything related to 2FA.

It doesn't. What this malware does is try to take advantage of the session that is already open. He tries to fool the website by saying it's just a continuation of the last login.

Hacker could not type 2fa again. Since the combination expires fast. It would take advantage of the last numbers entered or the open session.

But most serious sites ask for 2fa again depending on the ip used.

Oceat

sr. member

Activity: 2506

Merit: 368

Quote from: aoluain on February 01, 2019, 01:55:45 AM

~snip~
I have always used Firefox in private mode, I dont allow Firefox to store
my browsing history. This is something the Mozilla foundatuon have
always based the operations on.
...

I think this is just the same with Google Chrome, they do have incognito mode which is basically similar to what you have said. Incognito never store your passwords, cookies, and history of your browser. And i think personally the biggest difference between these two is just how the processing of these two is much more different. Chrome is way faster than Firefox in terms of quick response, IMO.

khufuking

sr. member

Activity: 840

Merit: 266

Quote from: hatshepsut93 on February 01, 2019, 09:08:43 AM

If found another article , and it says that stolen cookies can be used to fake the identity of victim's machine, and thus login without a 2FA check on some sites. However, there are still a lot of unexplained details, like how they avoid 2FA checks on withdrawals, how do they spoof IP address and so on.

Faking the identity of the victim's machine will not make you bypass 2FA, I have 2FA setup on all my exchanges and I always asked to enter my 2FA and I never changed the computer I am using with my exchanges, also in some exchanges like Bittrex I always have to confirm by email+2FA if my Ip changed. I don't see in the article any mentioning about the way the attackers get bypass 2FA and if they are talking about the old one-time text message it still can't be done because it is only valid for one-time logging and for a limited time.

BrewMaster

legendary

Activity: 2114

Merit: 1293

There is trouble abrewing

Quote from: xWolfx on February 02, 2019, 10:35:44 AM

To be honest, between hackers and regular users that is not even a battle. Hackers win easily.

you don't really need to be an expert to be pretty safe. of course 100% safety is impossible no matter what you do and how "expert" you are but even a "regular user" with basic understanding of computers can be as safe that he/she never loses anything ever in his entire life. there are just certain precautions that you have to always take like not downloading or even visiting sites with anything fishy in them. keeping your secrets password protected,...

Fredomago

legendary

Activity: 2996

Merit: 1054

Leading Crypto Sports Betting & Casino Platform

Quote from: Indamuck on February 02, 2019, 10:37:49 AM

Malware and security will always be at an arms race to defeat each other. No matter how secure we think we are all it takes is one genius to crack the puzzle and we are screwed. Also no matter how good your digital security is you are still prone to a physical wrench attack.

It will be a continuous battle between, this news is really alarming and needs to be well understood, hackers are always finding ways to penetrate
and if we give them a little chance they will attack quicker than we think that we are well protected, it's best to always be updated and take things
seriously to learned more prevention regarding to this concern.

Indamuck

hero member

Activity: 1120

Merit: 554

Malware and security will always be at an arms race to defeat each other. No matter how secure we think we are all it takes is one genius to crack the puzzle and we are screwed. Also no matter how good your digital security is you are still prone to a physical wrench attack.

xWolfx

member

Activity: 322

Merit: 20

Donating 10% to charity

Quote from: bit-freedom on February 02, 2019, 08:15:48 AM

Thank you for the warning. It is a strong battle between the hackers and users like us. Please stay safe everybody and be careful when clicking on hyperlinks and downloading stuffs. Stay safe and let’s win the battle against the hackers and scammers.

To be honest, between hackers and regular users that is not even a battle. Hackers win easily.

This malware affects Mac users but don't think that because you're not using a Mac you're safe from a 2-factor authentication bypass. Using phishing links, an attacker can also bypass the authentication by using the real website but acting as some kind of intermediary between you and the website, so you are getting the real code and submitting for the hacker to be have access.

A really good attacker wanting you to click a link will most likely make you click a link. The rate of people who falls for that simple attack vector is incredibly huge.

Patatas

legendary

Activity: 1750

Merit: 1115

Providing AI/ChatGpt Services - PM!

How can it beat the 2FA if your primary source of the Authenticator is the application downloaded in your phone? The cookies and stuff aren’t applicable here. I don’t understand why would one use browser again to store anything related to 2FA.

Reid

hero member

Activity: 3052

Merit: 651

Thank you kenzawak for opening this kind of discussion. It is an eye opening.

pooya87 and aoluain thank you also for answering with web browser hacking and what should be used for security and you both have the same answer into what is most advised as a great browser.

Now, I am uninstalling my chrome. I am not really into digging about browser but this is an eye opener although it aint the target of the thread.
I believe 2FA aint that easy to be hacked. Just changing a smartphone and also reporting the change will give you a hard time, what more into hacking it.
I passed all my documents just so I could get it back and it took 2 days for me to recover it all. I believe that is how secured it is.

seoincorporation

legendary

Activity: 3346

Merit: 3125

Quote from: Malam90 on January 31, 2019, 09:55:43 PM

Quote from: kenzawak on January 31, 2019, 04:57:16 PM

...

It is very alarming news for the general people who use Internet from PC, or Android. If Google Chrome isn't enable to protect such maleware, it is shocking. I think Google Chrome will detect this maleware soon.

Is the hacking race, always hacker will develop new tools and them with work until someone develops a patch, that's how this world works. The crazy fact is the attacking vector, 2FA and MacOS, That's what has me amazed because those were two important security factors and fun to see how they are the vuln.

sehoon

full member

Activity: 840

Merit: 101

I think they should do something about how to prevent the malware from getting into our funds. And do a free service that will make us secure, and our funds secure where we don't have to purchase a hardware wallet because not everyone can afford that yet. I hope they do something about this right away.

JRoa

full member

Activity: 528

Merit: 100

Quote from: qiman on February 01, 2019, 02:06:42 AM

This is so unfortunate that the bad apples are working so hard to undermine mass adoption and make it very difficult for the average Joe Bloggs to enter crypto. Instead of being useful and becoming advocates for change and helping people join this big technical revolution, they prefer to work hard just for quick gain and out of malice to make sure less and less people want to join this niche market. Many newbies are frightened off because of this attitude from rogue entities and it scares them entering this space. I do hope that cyber police become more and more vigilant in catching these nasty people who are trying to undermine crypto and the blockchain for normal users and investors.

It is one of the factors why there are people who are afraid to enter the market. They are afraid to lose their money due to the hackers that are so skillful. Hackers are always finding a way for them to hack cryptocurrencies in all over the market. If we can only stop them, the mass adoption will happen.

kucritt

full member

Activity: 616

Merit: 100

is it true?i think 2FA authentication is made for make people that want to hack the account can't hack it because it will use another applications or another platform t make a verification of the owner of that wallet or that account, so if this is real i think we should makes another ways to makes a verification for owner

bit-freedom

sr. member

Activity: 658

Merit: 256

Thank you for the warning. It is a strong battle between the hackers and users like us. Please stay safe everybody and be careful when clicking on hyperlinks and downloading stuffs. Stay safe and let’s win the battle against the hackers and scammers.

ToyotaFortuner

full member

Activity: 574

Merit: 100

more and more viruses are spread by hackers who try to steal assets owned by cryptocurrency users, and preferably when you want to access your wallet or place of exchange you have to be more careful and not be careless.

Cofee.BLUE

sr. member

Activity: 546

Merit: 250

Quote from: kenzawak on January 31, 2019, 04:57:16 PM

https://www.newsbtc.com/2019/01/31/cryptocurrency-scam-mac/

"The software steals credentials, including browser cookies, to allow access to cryptocurrency exchange accounts. CookieMiner, as the malware is known, targets exclusively Mac users owing to the cross-device functionality of Apple’s products.
In addition to stealing login details and creatively subverting security precautions, the CookieMiner malware also uses the victim’s machine to covertly mine an obscure digital asset called Koto.
...
Google Chrome and Apple Safari cookies are stolen.
Saved usernames and credit card information from Chrome are stolen.
Text messages backed up to Mac are stolen from victims’ iPhone.
Browser cookies are stolen to defeat login anomaly detection.
...
With this combination of login credentials and cookies, attackers can often bypass the two-factor authentication process protecting accounts.
...
CookieMiner also installs mining software on the infected machine. Palo Alto Networks claim that the program is made to look like a piece of Monero-mining software. However, instead of mining the most frequently cryptojacked asset, it sets Mac users’ machine mining Koto, another privacy-focused cryptocurrency associated with Japan that can be mined using just a CPU."

For you to get access on google chrome you should have the intelligence of thousands of website developers and programmers.For someone to steal someone's phone saved information there must be a bait or device control. Hijacking can be done using finest computer with program on it and i don't think just someone could do that to leading technology companies more of like movie twists.

Lucius

legendary

Activity: 3234

Merit: 5637

Blackjack.fun-Free Raffle-Join&Win $50🎲

Quote from: pooya87 on January 31, 2019, 11:26:36 PM

for example using Firefox you can go to your setting and type in "master password" in the settings search bar and check its box and set a strong encryption password

I know this option is enabled in Firefox, and it make sense to set master password., But user need to enter that master password only once per session (first time Firefox is open), and then all passwords are available. From the aspect of security how much is passwords safe from hack after user is unlock passwords with master password?

I see Google Chrome offer password manager, but I do not see any mention of master password as Firefox...

https://support.google.com/chrome/answer/95606?co=GENIE.Platform%3DDesktop&hl=en

hatshepsut93

legendary

Activity: 3024

Merit: 2148

Quote from: figmentofmyass on February 01, 2019, 01:33:30 AM

sorry if this is a dumb question, but how exactly does this compromise 2FA?

all of the compromised data is browser-based (something you know, not something you have), with the exception of "stolen text messages". but old text messages shouldn't overcome SMS 2-factor authentication because those one-time codes are only good for a very limited time. and if you use TOTP-based 2FA, you should be completely safe.

can somebody walk me through this?

If found another article , and it says that stolen cookies can be used to fake the identity of victim's machine, and thus login without a 2FA check on some sites. However, there are still a lot of unexplained details, like how they avoid 2FA checks on withdrawals, how do they spoof IP address and so on.

It's an interesting topic and people who have very important online accounts, like traders, should definitely check it, so here's some links:

https://security.stackexchange.com/questions/178663/why-isnt-stealing-cookies-enough-to-authenticate

https://stackoverflow.com/questions/2498599/can-some-hacker-steal-the-cookie-from-a-user-and-login-with-that-name-on-a-web-s

Maybe on some sites you can remove 2FA if you have access to the email, and if this malware can give access to victims email, they can get all the control they need.

Topic: A new malware designed to beat 2-fa authentication (Read 399 times)