A new malware designed to beat 2-fa authentication

[kucritt]

is it true?i think 2FA authentication is made for make people that want to hack the account can't hack it because it will use another applications or another platform t make a verification of the owner of that wallet or that account, so if this is real i think we should makes another ways to makes a verification for owner

[1714037360]

1714037360

[1714037360]

1714037360

[1714037360]

1714037360

[1714037360]

1714037360

[JRoa]

This is so unfortunate that the bad apples are working so hard to undermine mass adoption and make it very difficult for the average Joe Bloggs to enter crypto. Instead of being useful and becoming advocates for change and helping people join this big technical revolution, they prefer to work hard just for quick gain and out of malice to make sure less and less people want to join this niche market. Many newbies are frightened off because of this attitude from rogue entities and it scares them entering this space. I do hope that cyber police become more and more vigilant in catching these nasty people who are trying to undermine crypto and the blockchain for normal users and investors.

It is one of the factors why there are people who are afraid to enter the market. They are afraid to lose their money due to the hackers that are so skillful. Hackers are always finding a way for them to hack cryptocurrencies in all over the market. If we can only stop them, the mass adoption will happen.

[sehoon]

I think they should do something about how to prevent the malware from getting into our funds. And do a free service that will make us secure, and our funds secure where we don't have to purchase a hardware wallet because not everyone can afford that yet. I hope they do something about this right away.

[seoincorporation]

...

It is very alarming news for the general people who use Internet from PC, or Android. If Google Chrome isn't enable to protect such maleware, it is shocking. I think Google Chrome will detect this maleware soon.

Is the hacking race, always hacker will develop new tools and them with work until someone develops a patch, that's how this world works. The crazy fact is the attacking vector, 2FA and MacOS, That's what has me amazed because those were two important security factors and fun to see how they are the vuln.

[Reid]

Thank you kenzawak for opening this kind of discussion. It is an eye opening.

pooya87 and aoluain thank you also for answering with web browser hacking and what should be used for security and you both have the same answer into what is most advised as a great browser.

Now, I am uninstalling my chrome. I am not really into digging about browser but this is an eye opener although it aint the target of the thread.
I believe 2FA aint that easy to be hacked. Just changing a smartphone and also reporting the change will give you a hard time, what more into hacking it.
I passed all my documents just so I could get it back and it took 2 days for me to recover it all. I believe that is how secured it is.

[Patatas]

How can it beat the 2FA if your primary source of the Authenticator is the application downloaded in your phone? The cookies and stuff aren’t applicable here. I don’t understand why would one use browser again to store anything related to 2FA.

[xWolfx]

Thank you for the warning. It is a strong battle between the hackers and users like us. Please stay safe everybody and be careful when clicking on hyperlinks and downloading stuffs. Stay safe and let’s win the battle against the hackers and scammers.

To be honest,  between hackers and regular users that is not even a battle. Hackers win easily.

This malware affects Mac users but don't think that because you're not using a Mac you're safe from a 2-factor authentication bypass. Using phishing links, an attacker can also bypass the authentication by using the real website but acting as some kind of intermediary between you and the website, so you are getting the real code and submitting for the hacker to be have access.

A really good attacker wanting you to click a link will most likely make you click a link. The rate of people who falls for that simple attack vector is incredibly huge.

[Indamuck]

Malware and security will always be at an arms race to defeat each other.  No matter how secure we think we are all it takes is one genius to crack the puzzle and we are screwed.  Also no matter how good your digital security is you are still prone to a physical wrench attack.

[Fredomago]

Malware and security will always be at an arms race to defeat each other.  No matter how secure we think we are all it takes is one genius to crack the puzzle and we are screwed.  Also no matter how good your digital security is you are still prone to a physical wrench attack.

It will be a continuous battle between, this news is really alarming and needs to be well understood, hackers are always finding ways to penetrate
and if we give them a little chance they will attack quicker than we think that we are well protected, it's best to always be updated and take things
seriously to learned more prevention regarding to this concern.

[BrewMaster]

To be honest,  between hackers and regular users that is not even a battle. Hackers win easily.

you don't really need to be an expert to be pretty safe. of course 100% safety is impossible no matter what you do and how "expert" you are but even a "regular user" with basic understanding of computers can be as safe that he/she never loses anything ever in his entire life. there are just certain precautions that you have to always take like not downloading or even visiting sites with anything fishy in them. keeping your secrets password protected,...

[khufuking]

If found another article , and it says that stolen cookies can be used to fake the identity of victim's machine, and thus login without a 2FA check on some sites. However, there are still a lot of unexplained details, like how they avoid 2FA checks on withdrawals, how do they spoof IP address and so on.

Faking the identity of the victim's machine will not make you bypass 2FA, I have 2FA setup on all my exchanges and I always asked to enter my 2FA and I never changed the computer I am using with my exchanges, also in some exchanges like Bittrex I always have to confirm by email+2FA if my Ip changed. I don't see in the article any mentioning about the way the attackers get bypass 2FA and if they are talking about the old one-time text message it still can't be done because it is only valid for one-time logging and for a limited time.

[Oceat]

~snip~
I have always used Firefox in private mode, I dont allow Firefox to store
my browsing history. This is something the Mozilla foundatuon have
always based the operations on.
...

I think this is just the same with Google Chrome, they do have incognito mode which is basically similar to what you have said. Incognito never store your passwords, cookies, and history of your browser. And i think personally the biggest difference between these two is just how the processing of these two is much more different. Chrome is way faster than Firefox in terms of quick response, IMO.

[vit05]

How can it beat the 2FA if your primary source of the Authenticator is the application downloaded in your phone? The cookies and stuff aren’t applicable here. I don’t understand why would one use browser again to store anything related to 2FA.

It doesn't. What this malware does is try to take advantage of the session that is already open. He tries to fool the website by saying it's just a continuation of the last login.

Hacker could not type 2fa again. Since the combination expires fast. It would take advantage of the last numbers entered or the open session.

But most serious sites ask for 2fa again depending on the ip used.

[fumblingperch]

This is terrible. No matter how we try to protect your funds, there are still new ways to hack your wallets and accounts. Now I'm even more worried about my money.

[figmentofmyass]

sorry if this is a dumb question, but how exactly does this compromise 2FA?

all of the compromised data is browser-based (something you know, not something you have), with the exception of "stolen text messages". but old text messages shouldn't overcome SMS 2-factor authentication because those one-time codes are only good for a very limited time. and if you use TOTP-based 2FA, you should be completely safe.

can somebody walk me through this?

If found another article , and it says that stolen cookies can be used to fake the identity of victim's machine, and thus login without a 2FA check on some sites. However, there are still a lot of unexplained details, like how they avoid 2FA checks on withdrawals, how do they spoof IP address and so on.

It's an interesting topic and people who have very important online accounts, like traders, should definitely check it, so here's some links:

https://security.stackexchange.com/questions/178663/why-isnt-stealing-cookies-enough-to-authenticate

https://stackoverflow.com/questions/2498599/can-some-hacker-steal-the-cookie-from-a-user-and-login-with-that-name-on-a-web-s

thanks for the explanation. i think i get it now. it didn't occur to me that hackers were duplicating an existing session using the stolen cookies. it's still not an easy attack to pull off since the attacker needs to spoof the IP address (and other parameters) from the original session, but it's good to be aware that this can happen. it definitely makes a strong case for requiring 2FA on withdrawals (email confirmation and TOTP) in case your session gets hijacked like this.