toad.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
Mastodon server operated by David Troy, a tech pioneer and investigative journalist addressing threats to democracy. Thoughtful participation and discussion welcome.

Administered by:

Server stats:

227
active users

#phaas

0 posts0 participants0 posts today
Replied in thread

@tychotithonus : thank you for responding. I'm not trying to be aggressive but to make the internet safer.

In your original toot, you wrote: "It's comforting to know that I'm significantly protected from these attempts" while showing phishing messages.

From blog.talosintelligence.com/how (a year ago):
"In the latest Cisco Talos Incident Response Quarterly Trends report, instances related to multi-factor authentication (MFA) were involved in nearly half of all security incidents that our team responded to in the first quarter of 2024".

From my own research I know that the number of phishing-sites is exploding. PhaaS makes it easy to take over accounts where weak MFA is used.

The more people use weak MFA, the more of these sort of attacks we'll be seeing. IOW, the security of weak MFA (TOTP, SMS, number matching) will decrease over time (it does since Alex Weinert wrote this in 2019: techcommunity.microsoft.com/bl).

Furthermore, from the page referenced by you, meta.wikimedia.org/wiki/Stewar:
"Testing this service may result in the loss of your access and is not recommended for inexperienced users."

TOTP effectively means a unique strong (server supplied) password per account that people can impossibly remember. A TOTP app simply is a disguised password manager.

There have been lots of incidents where people lost access to multiple MFA-proteced accounts because they lost access to the shared secrets on their phones. Nobody tells people to make sure that backups are made of such secrets, let alone in a secure and privacy-respecting manner.

Note: a lot of TOTP apps had serious security issues a couple of years ago, as documented by Conor Gilsenan et al. in usenix.org/conference/usenixse (source: infosec.exchange/@conorgil/109). I doubt that things have significantly improved (Authy was really bad, and at the time, Google's app blocked backups of the shared secrets).

Here's an, IMO, way better advice: use a password manager that checks the domain name. Use it to generate long random passwords, and make sure that it's (encrypted) database is backed up after every change you make.

I wrote about the caveats of password managers in, for example, infosec.exchange/@ErikvanStrat.

Recommending people to use TOTP because they use weak passwords is a bad idea IMO: you effectively make them use a password manager (which a TOTP app is, while it does not check domain names) instead of solving the primary problem: weak passwords.

@conorgil

Cisco Talos Blog · How are attackers trying to bypass MFA?Exploring trends on how attackers are trying to manipulate and bypass MFA, as well as when/how attackers will try their 'push-spray' MFA attacks

This week, we encountered a new phishing campaign utilizing the Tycoon 2FA Phishing-as-a-Service (PhaaS) to bypass multifactor authentication (MFA).

The RDGA domains have Russian TLDs but are hosted on CloudFlare infrastructure. We have been seeing them use shared infrastructure for a few months now, definitely trying to make detection more challenging. They continue to obfuscate every piece of code but have updated their verification page. Previously, we always saw their custom Cloudflare Turnstile page, but now they also use a new captcha challenge, as shown below.(You can also check it here urlscan.io/result/0195ed8b-7a4 )

Their old Cloudflare Turnstile page seems to still be their favorite, even though they now change their message more frequently: "Checking response before request" or "Tracking security across platform" are some of the new messages they use.

Here is a sample of the hundreds of domains we are detecting:
womivor[.]ru
nthecatepi[.]ru
toimlqdo[.]ru
dantherevin[.]ru
xptdieemy[.]ru

#dns#domains#phishing

We published a blog yesterday about a PhaaS and phishing kit that employs DoH and DNS MX records to dynamically serve personalized phishing content. It also uses adtech infrastructure to bypass email security and sends stolen credentials to various data collection spaces, such as Telegram, Discord, and email. blogs.infoblox.com/threat-inte

Infoblox Blog · PhaaS actor uses DoH and DNS MX to dynamically distribute phishingLarge-scale phishing attacks use DoH and DNS MX records to dynamically serve fake login pages
#dns#doh#mx

The new Darcula phishing-as-a-service (PhaaS) platform lets cybercriminals clone any brand’s website and create phishing pages in minutes—no coding skills required. In the past year, 95,000 phishing domains and 31,000 IP addresses have been linked to #Darcula.

Using this suite, attackers can submit a URL to generate a clone, then select the HTML elements to replace and inject phishing content (e.g., payment forms and login fields) to create a malicious replica of the legitimate landing page. They can then use the admin panel to manage their phishing campaigns and data collection.

It's getting harder to spot these attacks, so make sure you are training your team to carefully inspect URLs and email addresses, and enter known URLs rather than clicking links. Please contact us if you need help setting up a training program for your team.

Read about Darcula: thehackernews.com/2025/02/cybe

The Hacker NewsCybercriminals Can Now Clone Any Brand’s Site in Minutes Using Darcula PhaaS v3Darcula v3 automates phishing kit creation, allowing attackers to clone any website in minutes. Netcraft has blocked 95,000 domains, yet threats persi
Replied in thread

@GossiTheDog : it's not the lack of MFA that is the problem.

Problem 1) is that a SPOF (*) is permitted access to data of millions (either directly or indirectly). This risk includes compromise of client devices.

2) Weak MFA (+) does not prevent these attacks, because the SPOF may be phished into entering their credentials in a third party page that imitates the intended Citrix Netscaler.

Please do not promote a flawed fix for bad passwords (2019: techcommunity.microsoft.com/t5).

(*) Single Point Of Failure

(+) SMS, Voice, TOTP, Number Matchting, Location

TECHCOMMUNITY.MICROSOFT.COMAll your creds are belong to us!Multi-factor Authentication (MFA) matters. 

Hoe de Politiehack precies heeft plaatsgevonden, weet ik niet.

Wel weet ik dat veel "experts"hun kop in het zand steken of mij zelfs voor gek verklaren als ik schrijf dat:

1) Het opzet is dat mensen op internet nep niet van echt kunnen onderscheiden (security.nl/posting/859906/Spe), en dat daar *dringend* iets aan gedaan moet worden;

2) Zij aanraden om zwakke MFA (security.nl/posting/859561/MFA) te gebruiken in plaats van een wachtwoordmanager die op domeinnamen checkt;

3) Onder hen er *zelfs* zijn die stellen dat we, op *dit* internet, EDIW veilig zouden kunnen gebruiken (reactie op een posting van Ivo Jansch, één van de architecten van EDIW: tweakers.net/nieuws/204138/#r_). Welliswaar met de opmerking dat er alternatieven moeten blijven bestaan (die er nu ook niet meer zijn voor communicatie met de overheid of met uw bank).

Zie ook security.nl/posting/827137/Kop, bovenaan die pagina en security.nl/posting/833217/Int.

#Politiehack #Politie #MFA #2FA #ZwakkeMFA #Zwakke2FA #DV #Certificaten #LetsEncrypt #LetsAuthenticateTheWebsiteFirst #AitM #MitM #Phishing #EvilProxy #PhaaS #Evilginx2 #EDIW #EUDIW #EC #KopieID #KopietjePaspoort #VideoIdent

(Bron van onderstaand plaatje: maxvandaag.nl/sessies/themas/m)

Replied in thread

@north : SMS *is* 2FA, albeit weak.

The problem with "something you know, are, or have" is that users are never told that it is essential that each factor used cannot be easily copied, stolen, guessed etc. or temporarily fall into the wrong hands (literally in this case).

Another problem is that if you loose a factor, you may no longer have access to your account.

So each factor must be strong, carefully kept secret and needs to be backupped. These are extreme requirements that nobody wants (you) to understand.

P.S. both iPhones and Android phones can be configured to *not* show SMS texts (and most other possibly confidential information) on their screen when locked.

P.P.S. Unlocked phones are vulnerable to Time Traveler TOTP attacks. An attacker with temporary access to an unlocked phone may change the system date/time to the future, read a TOTP code for a website, and restore correct system time. When the future arrives they can use your TOTP code at their leisure on their own device to log in to your account, and reuse it (within 30 sec.) if required to pwn your account.

P.P.P.S. Weak 2FA/MFA does not prevent AitM (Attacker in the Middle) phishing attacks if the AitM uses Evilginx2 or some other "evil proxy" website.

2019 "MFA had failed" (by Alex Weinert, Director of Identity Security at Microsoft) techcommunity.microsoft.com/t5

@acut3hack

TECHCOMMUNITY.MICROSOFT.COMAll your creds are belong to us!Multi-factor Authentication (MFA) matters. 
#2FA#MFA#SMS
Replied in thread

@textualdeviance wrote, among other things:

« Sudden revolutions come with obscenely high body counts of innocent civilians. »

That is not necessarily true, in for example the following cases:

🔸 en.wikipedia.org/wiki/Velvet_R

🔸 A revolution that STOPS killing must take place #NOW. The anihilation of Palestinians is simply unacceptable, in particular because western countries condone, support or even encourage it. At some point the governments of the USA, NL and others must stop following orders from their Zionist sponsors, in order to not make them EVEN MORE complicit to genocide.

🔸 Personally I'm "fighting" for a safer internet; fixing tech does not have to involve bloodshed at all (although big tech and leeches like safer.io/ will lose income). Such as:

• By insisting on a system where internet users can distinguish betwee fake and authentic websites (see infosec.exchange/@ErikvanStrat);

• By providing strong arguments why "Chatcontrol" (governments scanning every smartphone looking for Child Sexual Abuse Material - and what not) will not protect a single child - on the contrary (infosec.exchange/@ErikvanStrat; chatcontrol is *not* just a privacy risk);

• By warning for passkeys (infosec.exchange/@ErikvanStrat) and suggesting better alternatives;

• By warning for risks such as when unlocking the screen of an iPhone/iPad with a PIN (infosec.exchange/@ErikvanStrat);

• By warning for security measures that are easily bypassed, such as 2FA/MFA (using SMS, voice, or TOTP "Authenticator" apps including Microsoft's using "number matching");

• Et cetera.

@0xabad1dea

en.wikipedia.orgVelvet Revolution - Wikipedia
#AIPAC#CIDI#Gaza

In *2019*, Alex Weinert of Microsoft wrote in techcommunity.microsoft.com/t5:

«
    MFA had failed.

    [...]
    All Authenticators Are Vulnerable
    [...]
»

Today, as echoed in bleepingcomputer.com/news/micr, Microsoft still insists that using weak MFA is a good idea.

In azure.microsoft.com/en-us/blog Microsoft writes (on August 15):

«
As recent research [1] by Microsoft shows that multifactor authentication (MFA) can block more than 99.2% of account compromise attacks, making it one of the most effective security measures available, today’s announcement brings us all one step closer toward a more secure future.
»

From that same article, "solutions" with (nearly as weak as SMS) "Microsoft Authenticator" is at the TOP of their list:

«
Organizations have multiple ways to enable their users to utilize MFA through Microsoft Entra:

• Microsoft Authenticator [...]
• FIDO2 security keys [...]
• Certificate-based authentication [...]
• Passkeys [...]
• Finally, and this is the least secure version of MFA, you can also use a SMS or voice approval [...]
»

From [1] (PDF) = query.prod.cms.rt.microsoft.co , no date of the "investigation period" to be seen *anywhere*, and one of the authors being Alex Weinert, more extreme percentages (approved by Microsoft's marketing dept):

«
Our findings reveal that MFA implementation offers outstanding protection, with over 99.99% of MFA-enabled accounts remaining secure during the investigation period. Moreover, MFA reduces the risk of compromise by 99.22% across the entire population and by 98.56% in cases of leaked credentials.
»

Dear reader: please stop buying Microsoft BS that completely ignores PhaaS.

To name a few examples:

🚨 "Experts agree [*] that setting up two-factor authentication (2FA) İs one of the most powerful ways to protect your account from getting hacked. However, hackers like COLDRIVER and COLDWASTREL may try to trick you into entering your second factor; we have seen attackers successfully compromise a victim who had enabled 2FA." - (PDF) accessnow.org/wp-content/uploa

[*] Not me. My tip is here: infosec.exchange/@ErikvanStrat

🚨 EvilGinx2: "Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication" - github.com/kgretzky/evilginx2 (there are more, like Modlishka, Muraena, CredSniper, EvilProxy (Phaas), NakedPages etc.)

🚨 Not even a fake website needed: bleepingcomputer.com/news/secu

🚨 From mrd0x.com/attacking-with-webvi:
«
Bypass 2FA
WebView2 also provides built-in functionality to extract cookies. This allows an attacker to extract cookies after the user authenticates into the legitimate website. This technique removes the need of having to spin up Evilginx2 or Modlishka but the obvious trade-off is that the user must execute the binary and authenticate.
»
In addition, from bleepingcomputer.com/news/secu:
«
"Yubikeys can't save you because you're authenticating to the REAL website not a phishing website."
mr.d0x
»
AND:
«
However, as mr.d0x admits and Microsoft pointed out in their response to our questions, this attack is a social engineering attack and requires a user to run a malicious executable.
»
Correct, but a local compromise does'nt protect you when you're using FIDO2 hardware keys or passkeys.

🚨 From 2022: microsoft.com/en-us/security/b:
«
A large-scale phishing campaign that used adversary-in-the-middle (AiTM) phishing sites stole passwords, hijacked a user’s sign-in session, and skipped the authentication process even if the user had enabled multifactor authentication (MFA).
»

🚨 "Phishing with Cloudflare Workers: Transparent Phishing and HTML Smuggling" - netskope.com/blog/phishing-wit

🚨 "New EvilProxy Phishing Service Allowing Cybercriminals to Bypass 2-Factor Security" - thehackernews.com/2022/09/new-

🚨 From europol.europa.eu/media-press/:
«
The investigation uncovered at least 40 000 phishing domains linked to LabHost, which had some 10 000 users worldwide.
[...]
LabRat was designed to capture two-factor authentication codes and credentials, allowing the criminals to bypass enhanced security measures.
»

🚨 "Security and Privacy Failures in Popular 2FA Apps" by Gilsenan et al. (USENIX 2023): usenix.org/conference/usenixse
The PDF can also be found here: github.com/blues-lab/totp-app- (Aegis was one of the least problematic apps, and don't use Authy).

This is what is wrong with weak MFA/2FA:

You
 o
/|\  [device + browser]
/ \ |
v
[login.microsoftonline-aitm.com]
|
v
[login.microsoftonline.com]

(no thanks to DV-certificates).

TECHCOMMUNITY.MICROSOFT.COMAll your creds are belong to us!Multi-factor Authentication (MFA) matters. 
#AitM#MitM#EvilProxy
Replied in thread

Don't rely on 2FA!

Instead use a trustworthy & secure pwmgr (password manager) that checks the domain name (like passkeys do implicitly) and, based on that, offers to autofill credentials.

And:
• Let the pwmgr generate random long unique passwords for each account;

• Back up the pw db (database) after each change (and have multiple physical locations where those back ups are stored);

• Know what to do when logging in to a website and your pwmgr comes up with *NOTHING* : don't search for credentials in de pw db for the website you were made to *believe* it is - it's fake.

<<< The phishing page, for its part, urges the victim to sign in with Microsoft Outlook or Office 365 (now Microsoft 365) to view a purported PDF document. Should they follow through, fake sign-in pages hosted on Cloudflare Workers are used to harvest their credentials and multi-factor authentication (MFA) codes. >>> thehackernews.com/2024/05/new-

@patrickcmiller

The Hacker NewsNew Tricks in the Phishing Playbook: Cloudflare Workers, HTML Smuggling, GenAICybercriminals are exploiting Cloudflare Workers to host phishing sites targeting major email providers.
#2FA#MFA#2FAFail

2FA (MFA) beschermt *niet* tegen steeds meer phishingaanvallen:

<<<Tycoon 2FA operates as an adversary-in-the-middle (AitM) phishing kit. Its primary function is to harvest Microsoft 365 and Gmail session cookies. >>>
proofpoint.com/us/blog/email-a

U kunt zichzelf hier prima tegen beschermen, zonder passkeys of software van bijvoorbeeld Proofpoint te gebruiken: zie security.nl/posting/841126

Proofpoint · Tycoon 2FA: Phishing Kit Being Used to Bypass MFA | Proofpoint USExplore Tycoon 2FA, a sophisticated phishing kit used to bypass MFA. Learn how it works, what an attack looks like, detection techniques and more.
#2FA#MFA#AitM
Continued thread

Phishing-as-a-Service (PhaaS) provider LabHost was taken down in an international law enforcement operation on 18 April 2024. Chainalysis maps out LabHost's on-chain activity and use of cryptocurrency. This includes the likely payment of monthly fees by cybercriminals (for LabHost's phishing tools) to identified LabHost cryptocurrency wallets. "LabHost then sent most of those funds to a few mainstream exchanges, presumably to be cashed out, as well as to a popular mixer, likely to launder the funds and obfuscate their origins." LabHost also sent funds to a payment processor (merchant services provider) and an Infrastructure-as-a-Service provider (while not identified, Chainalysis alludes to other criminal organizations using these services for web hosting, email tools, proxy services, etc.). There are links to iSpoof, another illicit provider of tools used for fraud that was shut down by the Metropolitan Police and other law enforcement agencies in 2022. 🔗 chainalysis.com/blog/labhost-d

Chainalysis · Phishing-as-a-Service Provider LabHost DisruptedLondon's Metropolitan Police have announced the disruption of PhaaS provider LabHost. See analysis of LabHost's crypto transactions here.