雙重驗證是一種要求用戶輸入發(fā)送到他們手機或郵件中的驗證碼的額外安全防護步驟，歷來被用于防止釣魚攻擊獲取用戶名和密碼。

然而，安全專家已經(jīng)證實，某種自動化的釣魚攻擊可以穿透這層被稱作2FA的額外防護，它可能會欺騙沒有疑心的用戶，讓他們共享自己的私有憑據(jù)。

這種攻擊最早在上個月阿姆斯特丹舉辦的Hack in the Box安全大會上得到了證實。6月2日，一段演示的視頻發(fā)布在YouTube上，再次引起了人們的關(guān)注：盡管有了2FA等更加強大的安全工具，但黑客在突破額外安全防護屏障上也變得更加嫻熟。

黑客會協(xié)同使用Muraena和NecroBrowser，實現(xiàn)攻擊的自動化。這兩項工具就像完美的犯罪二人組。你可以把Muraena看作是聰明的銀行搶劫者，而NecroBrowser則是負(fù)責(zé)犯罪后逃跑的司機。

Muraena會截獲用戶和目標(biāo)網(wǎng)站之間的流量，充當(dāng)受害者與合法網(wǎng)站之間的代理。一旦Muraena讓受害人訪問形似真正登錄頁面的假冒網(wǎng)站，就會讓他們和往常一樣輸入登錄憑證和2FA驗證碼。確認(rèn)了會話cookie的真實性后，它就會將數(shù)據(jù)傳輸給NecroBrowser，后者可以建立窗口，追蹤數(shù)萬個受害者的私人賬戶。

開源編碼網(wǎng)站GitHub上也發(fā)布了攻擊演示，讓開發(fā)者看看攻擊的作用機制。

與會上展示無關(guān)的Synopsys的高級首席顧問阿米特·塞提表示，盡管針對2FA的攻擊在過去就已經(jīng)得到證實，但這些工具“可以讓水平較低的攻擊者更輕易地發(fā)動攻擊”。

安全專家表示，盡管可以被黑客攻破，但2FA仍然被視為最好的安全措施，比單純依靠用戶名和強密碼要好得多。

塞提表示：“當(dāng)然，這并不意味著人們就不用擔(dān)心了。我們現(xiàn)在需要更加努力地檢測網(wǎng)絡(luò)釣魚行為。”

研究人員和塞提都表示，如果可用，通用第二因素（U2F）是一種強大的方案。U2F密鑰是一種輔助性物理設(shè)備，可以插入電腦的USB接口，作為用戶在輸入用戶名或密碼后確認(rèn)其身份的額外手段。

塞提還指出，如果無法采用這種方案，保持警惕有助于避免潛在的2FA釣魚攻擊，例如不要點擊可疑郵件中的連接，輸入憑證前檢查瀏覽器中的網(wǎng)址，避免在接入公共Wi-Fi時輸入敏感信息。

塞提說：“如果懷疑自己登錄某網(wǎng)站的憑證已經(jīng)被盜，請迅速修改密碼，并把情況報告給該網(wǎng)站。（財富中文網(wǎng)）

譯者：嚴(yán)匡正

Two-factor authentication, the added security step that requires people enter a code sent to their phone or email, has traditionally worked to keep usernames and passwords safe from phishing attacks.

However, security experts have demonstrated an automated phishing attack that can cut through that added layer of security—also called 2FA—potentially tricking unsuspecting users into sharing their private credentials.

The attack was first demonstrated at the Hack in the Box Security Conference in Amsterdam last month. A video of the presentation was posted on YouTube on June 2, bringing renewed attention to how hackers are getting better at penetrating extra layers of security, despite people using stronger tools, like 2FA.

The hack employs two tools, called Muraena and NecroBrowser, which work in tandem to automate the attacks. The two tools work together like the perfect crime duo. Think of Muraena as the clever bank robber, and NecroBrowser as the getaway driver.

Muraena intercepts traffic between the user and the target website, acting as a proxy between the victim and a legitimate website. Once Muraena has the victim on a phony site that looks like a real login page, users will be asked to enter their login credentials, and 2FA code, as usual. Once the Muraena authenticates the session’s cookie, it is then passed along to NecroBrowser, which can create windows to keep track of the private accounts of tens of thousands of victims.

A demonstration of the attack was also released on GitHub, an open source coding site, to provide developers an opportunity to see how it works.

Amit Sethi, senior principal consultant at Synopsys, who was not affiliated with the presentation, says that while attacks against 2FA have been demonstrated in the past, these tools “make one of these attacks easier to execute for lower-skilled attackers.”

Despite this hack, 2FA is still considered a best security practice—far better than the alternative of simply relying on a username and strong password, according to security experts.

“Of course this does not mean that people should not worry,” says Sethi. “We now need to be even more diligent about detecting phishing attempts.”

The researchers, and Sethi, both say that universal second factor is a strong solution, when available. A U2F key is a secondary, physical device that can be plugged into a computer port as an additional way of verifying a person’s identity after they enter their username or password.

If that’s not an option, Sethi also says being vigilant can help thwart potential 2FA phishing attacks. That includes not clicking on links in suspicious emails, checking the a web address in the browser before entering credentials, and avoiding entering sensitive information when using public Wi-Fi.

“If you suspect that your credentials for a website have been compromised, act quickly to change your password, and report the event to the website,” says Sethi.