Hackers can bypass two-factor authentication with new scam

Two-factor authentication, the added security step that requires people enter a code sent to their phone or email, has traditionally worked to keep usernames and passwords safe from phishing attacks.

However, security experts have demonstrated an automated phishing attack that can cut through that added layer of security—also called 2FA—potentially tricking unsuspecting users into sharing their private credentials.

The attack was first demonstrated at the Hack in the Box Security Conference in Amsterdam last month. A video of the presentation was posted on YouTubeon June 2, bringing renewed attention to how hackers are getting better at penetrating extra layers of security, despite people using stronger tools, like 2FA.

The hack employs two tools, called Muraena and NecroBrowser, which work in tandem to automate the attacks. The two tools work together like the perfect crime duo. Think of Muraena as the clever bank robber, and NecroBrowser as the getaway driver.

Muraena intercepts traffic between the user and the target website, acting as a proxy between the victim and a legitimate website. Once Muraena has the victim on a phony site that looks like a real login page, users will be asked to enter their login credentials, and 2FA code, as usual. Once the Muraena authenticates the session’s cookie, it is then passed along to NecroBrowser, which can create windows to keep track of the private accounts of tens of thousands of victims.

A demonstration of the attack was also released on GitHub, an open source coding site, to provide developers an opportunity to see how it works.

Amit Sethi, senior principal consultant at Synopsys, who was not affiliated with the presentation, says that while attacks against 2FA have been demonstrated in the past, these tools “make one of these attacks easier to execute for lower-skilled attackers.”

Despite this hack, 2FA is still considered a best security practice—far better than the alternative of simply relying on a username and strong password, according to security experts.

“Of course this does not mean that people should not worry,” says Sethi. “We now need to be even more diligent about detecting phishing attempts.”

The researchers, and Sethi, both say that universal second factor is a strong solution, when available. A U2F key is a secondary, physical device that can be plugged into a computer port as an additional way of verifying a person’s identity after they enter their username or password.

If that’s not an option, Sethi also says being vigilant can help thwart potential 2FA phishing attacks. That includes not clicking on links in suspicious emails, checking the a web address in the browser before entering credentials, and avoiding entering sensitive information when using public Wi-Fi.

“If you suspect that your credentials for a website have been compromised, act quickly to change your password, and report the event to the website,” says Sethi.

This article was written by Alyssa Newcomb and originally appeared in Fortune.