A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Subscribestar or Patreon

Search Irongeek.com:

Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:


Phishing U2F-Protected Accounts - Nikita Mazurov Kenny Brown (BSides Tampa 2019) (Hacking Illustrated Series InfoSec Tutorial Videos)

Phishing U2F-Protected Accounts
Nikita Mazurov Kenny Brown
BSides Tampa 2019

Abstract: We present a novel approach for compromising U2F-protected accounts via targeted spearphishing attacks. Neither existing phishing simulation toolkits, nor phishing awareness training modules cover the particular attack vector to be discussed during the presentation, leaving users unprepared to face this particular kind of phishing attack, with the standard thinking being that U2F accounts, seeing as they requiring hardware-based authentication, are 'phish proof'--a dangerous assumption that can be harmful in causing users to lower their guard against phishing attacks. Following a general exposition of current 2FA measures, we describe a detailed attack workflow in which a hypothetical high-value, security-conscious target who has not just 2FA but U2F enabled on their account is the victim of account-compromising spearphishing using our novel attack methodology. Aside from the novel target exploitation mechanism to bypass U2F authentication requirements, the attack vector also leverages new top level domain names, HTTPS, and a back-end server hosted as a Tor hidden service which is then broadcast over the clearweb, alongside a final decoy payload with the final outcome being that the phishing page is both convincing and not readily traceable.

Bio: Nikita Mazurov, PhD, is a researcher focusing on privacy issues revolving around data archival. Kenneth Brown (CISSP, PMP) is a Federal Program Manager at VMware, USA. Having transitioned from a Senior Consultant Role working with DoD customers, Kenny is currently managing a large federal healthcare program.

Back to BSides Tampa 2019 video list

Printable version of this article

15 most recent posts on Irongeek.com:

If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2020, IronGeek
Louisville / Kentuckiana Information Security Enthusiast