Does Two Factor Authentication (2FA) prevent Phishing and/or Man-in-the-Middle (MITM) attacks?

While 2FA is clearly an improvement over only a single factor, is there anything which prevents an adversary presenting a convincing sign-in page which captures both factors?

I realise that technically a MITM attack is different to a Phishing attack, though at a high level they’re very similar — the user is inputting their credentials into an attacker-controlled page and the attacker can then input the credentials onwards into the real page.

Counterarguments against an anti phishing procedure

Consider the procedure below. What are your counterarguments, related to both security and user experience?

This is a follow up on my previous question on the same topic.

Step one: An employee submits an e-mail to coworkers (non-internal roles are also covered):

enter image description here

Step two: The e-mail server intercepts all incoming mails and substitute hyperlinks to non whitelisted sites, e.g.
surveymonkey.com/my-survey with
redirect.contoso.com/surveymonkey.com/my-survey, and send known authors the following message:

enter image description here

Obviously, if the GUI of the e-mail client can be modified, the verification can happen as the mail is authored.

Step three: If the author takes no action, the recipients get the e-mail after three minutes, but are presented with this message when they click the (doctored) link:

enter image description here

Over time, the user-vetted whitelist could be augmented with white- and blacklists provided by the security part of the organization.

The assumption is that this would intercept most link-based phishing attacks with a message of caution, while also keeping employees alert, due to the two factor authentication involved, without significantly degrading the user experience or imposing excessive policing of the employees.

So again, what are your counterarguments, related to both security and user experience?

What’s the purpose behind this phishing attempt?

As probably all of you, I got an email that was intended as a phishing attack.

The HTML version of the email was pretending to be a Facebook email of a security warning.

phishing image

The links do lead to Facebook, for an account-switching crafted URL. I get that one.

However, the text version of the email has something like this:

mailto:xxx@stanforduni.com;xxx@massachusettsins.co.uk;xxx@e-irosky.me;xxx@harvarduni.org;xxx@univofcambridge.eu;xxx@univofoxford.com;xxx@yandex.ru;xxx@yandex.ua;xxx@yandex.kz;xxx@yandex.by;xxx@yandex.com;xxx@mail.ru;xxx@yahoo.com;xxx@aol.com;xxx@gmail.com 

(I redacted out usernames from those addresses.)

Some of those names seem to be related (maybe the same person across multiple domains?). Some others seem generic but on a similar vein (mostly universities).

My question is: what’s the purpose of this "attack"? Clicking on those would trigger my email client to prepare an email for all those addresses. What does an attacker gain out of this?

Phishing Email Timing

Sometimes I realize that I receive phising emails, just after doing some operations on the web. For instance, I was trying to pay taxes from my bank account (website was trusted 100%, I checked the signature), just after a few minutes I receive a phising email from bank with a fake email address.

Timing was very close with this operation I have performed. I had the same feeling in the past with other phising emails, but I always thoght was just a case. I wonder if there are some way / chance that this is not just a coincedence.

Setoolkit phishing website attack vector problems [closed]

I tried to use phishing methods in setoolkit and everything was fine when apache2 started and I was given an IP address to send.

The victim was out of the city and they were not able to open that link and when they clicked it, it started loading but they got "Page not found".

  1. Does phishing only work with the same wifi device connected because only I was able to open that link?

  2. How can I do phishing and send that IP address link to anyone and trap them?

Have I really been hacked or am I falling for a phishing scam

I received an email on the 14th saying that a hacker has access to my pc it says that at the time of hacking my account (myemail@gmail.com) had this password (it was a version of my password but not one that I’ve ever used for my gmail) and it claimed to have been watching me for months and that it had infected my pc through a adult website and had video of me when I was on the site doing you know what and that it would send it to my contacts and correspondence but I don’t have any contacts on my pc and also I use a different user and email when I do that, also why didn’t it send it to that email and not any of the other emails I have saved on my pc. Am I falling for a bullshit email or do I have something to worry about? Also it said I have 48 hours to pay them in bitcoins and that it would track when I opened it and start the countdown and I just opened it last night

Phishing attempt?? – EML attachment from a “trusted source” might be urgent and important, or malware / phishing

I don’t usually feel competent enough to ask decent questions, let alone answer one here. But, this is rather urgent, so please be patient with me:

I CANNOT tell if the “secure encrypted message” I got in an email from a “state agency” was genuine or malware! I was somewhat (reluctantly) expecting an email from that department and their email signature appeared genuine. Unfortunately, they may or may not have attached that file, which purportedly contained the message body as an *.EML “secure attachment message”.

I couldn’t open the secure message attachment, which was the first clue of something amiss. (I also do NOT want to call them, and then have them read me the message, which would trigger a conversation I’m not prepared for, without first knowing what the message was about.)

As I started working hard to open the attachment. As I failed and researched more, my findings appeared more and more ominous. I will keep this question UPDATED with any missing details.
SUMMARY:

  • Received seemingly valid email from a known state agency, known person, known division I do business with.
  • Plain text message body:
    “Please find the attached.” [?? Odd wording –> “‘FIND‘ the attached” ??]
  • The [real] message was attached, encrypted, and only viewable by the email recipient that it was addressed to. The attachment then had to be opened by the email client, (Gmail-web). I’ve done this before once or twice, so it is a pain, but not unheard of.
  • Email ATTACHMENT was then “viewed in a an NEW WINDOW” in Chrome and Vivaldi with similar if not the same results: https://mail.google.com/mail/u/0/?????????????..[etc.]/: WHICH SAID:

[ERROR MESSAGE FROM GOOGLE MAIL:]
“You are viewing an attached message. COMPANY Mail can’t verify the authenticity of attached messages. Your document has been completed”

“VIEW COMPLETED DOCUMENTS:”
[LINK GOES TO: https://www.notion.so/(KNOWN_AGENCY_-_GUID)/]

“Ms. [known person]”
“[Known State Agency]”

  • After clicking on the link from the popup shown above, it opened a new TAB in my email browser’s page at this URI: https://www.notion.so/(KNOWN_AGENCY_-_GUID)/ which said the following:

“[KNOWN STATE AGENCY]”
“This PDF is password protected ,”   “[KNOWN PERSON] sent you an important vital file to review.”

“REVIEW FILE HERE:”
[LINK GOES TO: https://fafanfan.tk/000/nsw/data/UntitledNotebook1.html ] 

“Please take a look and let me know if these are ready to print.”
[ HUH?? Why let you know?? And, why print, instead of view?? ] 
“Kindly open with your professional email.”
[ HUH?? “Kindly”, “Professional email”?? Who talks like this?? ]
“Login with your email and password to view file.”

  • So, then I clicked on the email link and TRIED to log into my company GMAIL account.
  • It appeared to log into my account successfully, but then said I had to verify my account and to provide [either the] recovery phone or recovery email address
  • I provided a valid phone #, which failed with an error.
  • Then I tried my valid recovery email address, which also failed with an error.
  • I tried both Vivaldi and Chrome, and all failed each time. (I assumed that it opened a window without cookies, so the login to Google was from a new, unknown page.)

At this point, I started Googling the URI’s and other things —

  • Hmmm strange domains [TLD].TK ?? Searched the URI = NO hits.
  • Searched [TLD].TK — not good — It said 95% of the .TK traffic is malware / spam.
  • Searched the other URI shown above = NO hits. NOT cool.
  • I changed all my email PW’s. I checked for odd logins, but saw nothing odd. (If I provided my credentials to the bad guys, they are a bit slow today. So maybe I dodged a bullet.)
  • I Checked/scanned the downloaded file with Windows Defender — no detection
  • I submitted the file to Virus Total — no detection by anyone.
  • I also submitted the two URI’s shown above, and came up with only one hit from an unknown security company, who likely flagged the *.TK as possibly a “bad URI”.

At this point, I’m not at all sure what to do… I do NOT want to call them and start a conversation that might later deny “plausible deniability that I received this notice”. OTOH, I can’t ignore it too long, either.

RANT: I hate all these “protections”, that invite malware to be easily inserted. Then, you are relying on ordinary users to figure out if the attachments are safe?? Few users are smart enough, and I know that I’m not. (Although I’m not a total security idiot, as I’m more cautious and knowledgeable most than anyone I know.)
If Adobe wants to provide tools like this, fine. Then please make it much easier and obviously safe for both senders and [very novice] readers. For instance, use Adobe.com URI’s and never TLD’s that are also used for malware. If providing security tools, please don’t rely on these agencies’ IT staff to try to train equip their users to properly use these tools with the public, most of whom have never opened a “secure attachment”, let alone know how to open them (OR NOT), safely.

Instagram Phishing: “Look – I Made This Just For You – Click Here”

I manage a somewhat popular Instagram page with ~5000 followers.

Recently I’ve been getting a ton of the exact same direct message from various followers:

Look

I Made This Just For You – Click Here

This took me about 2 hours to make. They came out really nice. I hope you love them.

I just made this for you, I hope u like it.

instagram phishing

They’re all people who have legitimately messaged us in the past. In some cases the usernames have been recently changed and/or the account’s pictures have been deleted.


The link contained in the message is:

https://instagram.com-accounts-authentication-secure-id-46884434223.me/?look=ACCOUNT_NAME_HERE

The url also has a &ure= parameter that maps to a instagram.ftpe7-3.fna.fbcdn.net resource. This seems to be how they bring up the account’s profile page on the fake login screen.


How are these Instagram accounts being hacked?

What is the goal in sending our account these direct messages? What happens if you are unfortunate enough to click the link?

We’re being careful with DM links and two-factor authentication is enabled for this account.

How can we prevent these spam messages?

Is there anything we can do to safeguard or report our hacked followers?