All you need is a user who does not check domain names carefully before clicking.
Passwords still remain a security feature we all have to deal with. Managing them has managers, but they are not perfect. Two-factor authentication (2FA) is seen as a way of much improving security, but it turns out bypassing it is pretty simple.
As TechCrunch reports, Kevin Mitnick is Chief Hacking Officer at security awareness training company KnowBe4. In the video below, he demonstrates how easy it is to grab a LinkedIn user's details just by redirecting them to a website that looks like LinkedIn and using 2FA against them to steal their login credentials and site access.
The attack is simple. It requires an email that looks “right” for the website being targeted so the recipient does not take the time to check it out. In the example above, the email is actually coming from llnked.com rather than the legitimate linkedin.com.
Clicking the “Interested” button in the email takes the user to a website that looks like the Linkedin login page, but is on the llnked.com domain. This is another point at which a suspicious user will stop, but most are just eager to get on to the site. So they fill in the details and click Sign in. That triggers the 2FA check, which, when the right code is entered, creates a session cookie, secure access to the site.
This is the process of being able to steal the username, password, and session cookie for the LinkedIn account. At this point the username and password are not even necessary. Mitnick simply loads the Chrome browser, visits LinkedIn, opens the browser developer tools, pastes the session cookie into the console, then hits refresh on LinkedIn. Access is then granted.
What Mitnick is attempting to show here is, even with 2FA, the user is the weak link. If they do not take the time to check where they are, their confidential information, no user-dependent security, however strong, is going to work.