Phishing Hackers Defeat 2FA via Man-in-the-Middle Attacks
Posted on March 16th, 2023 by Kirk McElhearn
Apple has finally stopped selling the Apple Watch Series 3, which can no longer get security updates. The FBI shuts down 11-year old malware. And a $300 hacking tool enables phishers to defeat two-factor authentication using automated man-in-the-middle attacks.
- Apple stops selling Watch Series 3 — eight months after its last security update
- GarageBand Security Update Details Finally Released
- Microsoft Announces Outlook for Mac is Now Free to Use
- FBI shuts down 11-year-old NetWire RAT malware
- An Analysis of the Cross-Platform Backdoor OSX/NetWeirdRC
- Mac malware on the rise again; several new threats found: Netwire, Mokes, LoudMiner, NewTab
- Ransomware Group Claims Hack of Amazon’s Ring
- Using authenticator apps for MFA? Software for sale can hack you anyway
- Josh’s 2010–2011 blog posts mentioning Firesheep
- Firesheep (Wikipedia)
Transcript of Intego Mac Podcast episode 283
Voice Over 0:00
This is the Intego Mac Podcast—the voice of Mac security—for Thursday, March 16 2023.
This week’s Intego Mac podcast security headlines include: the Apple Watch lineup was recently pared down, and it’s a good thing; we found out about the security fixes in Apple’s recent GarageBand update; Microsoft has announced that Outlook for Mac is now free to use–what’s up with that? And we have a discussion about authenticator apps, and how hackers can work around the security they’re supposed to provide. Now, here are the hosts of the Intego Mac podcast, veteran Mac journalist, Kirk McElhearn. And Intego’s Chief Security Analyst, Josh long.
Kirk McElhearn 0:47
Good morning, Josh, how are you today?
Josh Long 0:49
I’m doing well. How are you, Kirk?
The Apple Watch Series 3 is no longer available in the US store.
Kirk McElhearn 0:50
I’m doing just fine. We have a little story to report that Josh is really happy about and and you’ve been ranting about the fact that Apple has been selling the Apple Watch Series 3 refurbished, and they still sold it after it was discontinued. And after Apple no longer was providing security updates. So it’s about six months that they sold it they discontinued it in September. And we’re in March. Well, finally, they’ve stopped selling it.
Josh Long 1:16
Yes, finally. So I’ve been tracking this. I’ve been watching, you know, the sites where Apple has been selling, they have different country versions of the Apple online store. And as of a few weeks ago, the Apple Watch Series 3 was no longer available in the US store. But I noticed that they were still selling it in the UK. And finally around this weekend, they seem to have discontinued the selling the Apple Watch Series 3. There’s still slot for it on the US store. But it’s been several weeks now. And in fact, Apple is not currently selling any refurbished Apple Watches, which is kind of interesting. And they say if you go to that page, it says the product you’re looking for is currently unavailable. Please try again later. So there’s just no watches available on the US store currently. In the UK store, which had been still selling the Apple Watch Series 3 has finally stopped selling it. So it only took six months after they stopped releasing security updates for the Series 3. Like what the heck, Apple? It’s really…to me it’s unconscionable that Apple would continue selling a product, even if it’s refurbished, that is no longer getting security updates. And I’ve reached out to Apple many many times for comments about this. And I’ve always been ignored. So I’m glad that they seem to have finally sold out of their stock. And I I’m I am kind of shocked that there hasn’t been a lawsuit or something against Apple for this kind of behavior. Maybe it just hasn’t come on high profile enough people’s radar.
Kirk McElhearn 2:52
What’s interesting is that they have no refurbished Apple Watches in the US but they’re selling refurbished Apple Watch SE and Series 7 models in the UK. Just checked on Apple France, they don’t have any Apple Watches at all. So refurbished watches are really country specific, much more than new products. They only have Macs, Apple TVs and accessories in France. But in the UK, they have Macs, iPads, iPhone, Watches, Apple TVs and accessories. So it’s really a country specific thing. And it was from what we were looking at the UK was the last one to have the Series 3, but you’re happy.
Some more Apple news. We talked about a security update for GarageBand. Apple’s music creation app last week that we didn’t understand why they said it was a security update with no information about what was fixed. And they did give us information now about the two vulnerabilities that were fixed.
Josh Long 3:44
Well, I don’t think we need to get into too much of the details on this. But if you do have GarageBand, if you do use it, there is an update available if you haven’t installed it yet, go ahead and install that.
Microsoft announces that Outlook for Mac is now free to use.
Kirk McElhearn 3:54
Okay, Microsoft announced that Outlook for Mac is now free to use. And this was last week. We didn’t talk about it on the show last week. And I was trying to figure out why would they do this? Why would they give you Outlook for free? Are they scanning people’s messages to get data from them? Because I mean, it’s it’s part of Microsoft 365. And if you’ve had a Microsoft Office 365 subscription, you’ve always been able to use it yet now they’re giving it away. And it doesn’t make sense to me.
Josh Long 4:22
I’m kind of curious about this too. I don’t know if the idea is to sort of get people more in the Microsoft ecosystem using their software. Maybe they’re planning to add their own version of ChatGPT to Outlook, that could be something that maybe they’re planning on doing in the near future. We know that Microsoft has some big events coming up, where they’re going to be talking about all the AI things that they’re implementing across their entire product line.
Kirk McElhearn 4:49
It’s interesting to point out that Microsoft says that Bing has now crossed 100 million daily active users and this has been since they released the ChatGPT that you can only Use in Microsoft Edge or in the Bing app on mobile. And well, this is could be related to the fact that they’re giving away Outlook for free. They just want to get more people using Microsoft software, and they’re giving them opportunities to do this.
NetWire RAT malware website seized by FBI, developer arrested
Kirk McElhearn 5:15
Okay, this week we have an FBI story, the FBI shuts down 11 year old NetWire RAT malware, and this is great. We’ve got a screenshot. This website has been seized. And it was a joint effort from the United States Attorney’s Office for the Central District of California, the Federal Bureau of Investigation, the Croatian Ministry of the Interior Criminal Police Directorate, the Zurich Cantonal Police, Europol European Cybercrime Center and the Australian Federal Police. And this NetWire RAT malware, RAT is “remote access Trojan”, it’s been around for 11 years. And all these enforcement organizations got together to arrest people and shut this down. Why is this so important?
Josh Long 5:57
Okay, well, I thought this was really important because this has been malware that’s existed on the Mac for 11 years, they’ve had various iterations of it over time. We first wrote about it on the Intego blog back in 2012. The site went live in kind of early to mid 2012. And then around August, they had a Mac version that we wrote up some details about on the Mac Security blog. Ever since then, this has kind of been in and out of the news, like every few years, this the same RAT, the same remote access Trojan, has continued to come up in the news, it came up in 2016. Because Apple at that time, finally added detection for one particular NetWire variant to its XProtect definitions. XProtect is this behind the scenes thing that’s got some very minimal malware definitions. It does not protect against the vast majority of Mac malware. I thought it was kind of interesting that they’ve added detection for one particular variant back in 2016, which was like four years after the malware had started to become available. And then it came up again in 2019. In June 2019, bad guys leveraged a zero day vulnerability in Firefox to actually spread NetWire malware, along with one other malware family. And so what finally happened is that even though this guy really hadn’t done a whole lot, he didn’t have good what what we call in the industry OpSec–operational security–he wasn’t doing a very good job of hiding his own personal information. And it took somehow still, it took 11 years for authorities to finally arrest this guy and shut down his website. So NetWire malware may still be out there, there could be existing infections. If you do have an existing infection, then of course, Intego VirusBarrier will be able to clean that up for you.
Amazon’s Ring attacked by ransomware
Kirk McElhearn 7:59
Okay, it looks like Amazon has been hacked, or at least Ring which is owned by Amazon, the company that makes doorbells and cameras and apparently they’ve been hit with ransomware. “There is always an option to let us leak your data”, a message posted on the ransomware Group’s website reads next to the Ring logo.
Josh Long 8:17
This is a little bit scary of all things that you don’t want people to hack into, you probably don’t want hackers getting access to the security cameras, especially if you have some indoor security cameras, right? Not everybody just uses the Ring doorbell. And that’s it. They have a pretty broad product line, including a lot of cameras that are obviously intended to be used and mounted indoors. So I really don’t like the idea of criminals getting into any Amazon servers, especially Ring servers.
Kirk McElhearn 8:48
Well, what surprises me is that this is something extremely sensitive. What worries me is that a company this size with this sort of data has vulnerabilities that have allowed this to happen. Now, we’re linking to an article on the Vice Motherboard website. And they’re talking about some incidents in 2019 when some hackers started hacking Ring cameras all over the US by reusing credentials exposed in earlier hacks, and they then terrorize their victims and they talk about in the article a hacker broke into the camera installed in the bedroom with three young girls and spoke through the cameras speakers to the girls and played the song “Tiptoe Through the Tulips” to the girls. That alone is a crime against humanity playing “Tiptoe Through the Tulips”. What I don’t understand now I see every once in a while on social media, people sharing footage from indoor cameras like of people sleeping in their beds and the cats moving around. I don’t understand why people have cameras filming themselves indoors. Why would they have a camera in the bedroom with three young girls I can understand if you got a baby using it as a baby monitor. Why do people do this?
Josh Long 9:50
That’s a great question, Kirk. I don’t know. It looks, like you say, I’m pretty sure that that’s the idea behind this is is that they can monitor their kids and make sure they’re, you know, staying in bed at night. They’re not wandering around the house when they shouldn’t be or whatever. But it is, it does seem a little bit creepy. But if other people are able to access it, that’s really creepy.
Kirk McElhearn 10:14
My main use of Ring cameras is my fi wind surveillance system, I have a camera pointing at the cat flap outside my house, my cats jump on a little like a table until the cat flap in the window where our laundry room is. And it allows me to get awards when the cats are there to know if they’re coming in or going out. It allows me to look outside and see if they’re around. Because every once in a while they can’t get in the cat flap, we have these cat flaps that that work with the microchips in the back of their necks. And every once in a while they get stuck. So I’ll see a cat trying to get in and they’re not getting in. I basically set this up a couple years ago when a bad cat got into the house because I hadn’t set the cat fives to work with the microchips. And so this was to make sure that we are protected from bad cats.
Josh Long 10:57
Okay, all right. The Bad Cat attack.
Kirk McElhearn 11:01
Yes, the Bad Cat attack. Yes, that’s when the cat comes in and steals all the food. And then I came down stairs one night, and I heard this noise of some animal running out through the cat flap. And I realized that the cat had been coming for several days and so we had to harden our security in our feline surveillance system. Anyway, we’re going to take a break. When we come back, we’re going to talk about an interesting fishing tool that you can buy for $300 or $1,000 for the fancy version, to automatically fish millions of people.
Voice Over 11:35
Protecting your online security and privacy has never been more important than it is today. Intego has been proudly protecting Mac users for over 25 years. And our latest Mac protection suite includes the tools you need to stay protected. Intego Mac Premium Bundle X9 includes VirusBarrier, the world’s best Mac anti-malware protection, NetBarrier, powerful inbound and outbound firewall security, Personal Backup, to keep your important files safe from ransomware, and much more to help protect, secure, and organize your Mac. Best of all, it’s compatible with macOS Ventura and the latest Apple silicon Macs. Download the free trial of Mac Premium Bundle X9 from intego.com today, when you’re ready to buy, Intego Mac Podcast listeners can get a special discount by using the link in this episode show notes at podcast.intego.com. That’s podcast.intego.com, and click on this episode to find the special discount link exclusively for Intego Mac podcast listeners. Intego, world-class protection and utility software for Mac users made by the Mac security experts.
An interesting phishing tool you can buy. What’s the technology behind it?
Kirk McElhearn 12:50
We talk a lot about two factor authentication and the abbreviation for that is 2-F-A digit “two” F-A. And there’s another term that’s used. We don’t tend to use multi-factor authentication MFA. Probably because it’s also the same as a Master of Fine Arts. And you might think it doesn’t have anything to do with security. But we have an interesting article this week in Ars Technica: “Still using authenticators for MFA? Software for sale can hack you anyway.” Now an authenticator app as we’ve mentioned many times is your password manager that generates a six digit code or it could be the built in password manager in iOS and Mac OS, or other authenticator apps, Microsoft authenticator, Google Authenticator, and it turns out that you can buy and I don’t know where you buy this, you don’t go on to, you know, Google to buy this, but you can buy a tool that lets you hack people for $300 for a standard version $1,000 for VIP users. I want to know what they mean by VIP users there, Josh. And which has, according to Ars Technica, a variety of advanced features for streamlining the deployment of phishing campaigns, increasing their chances of bypassing anti phishing defenses. Sounds like a good marketing slogan there for phishing software.
Josh Long 14:09
Yeah, and the fact that something like this is available to the public is is kind of mind blowing. I mean, clearly, this is designed to help people to commit fraud, right? So kind of scary that this kind of thing is actually available to buy. I wanted to talk about the technology behind this because I think that’s obviously nobody is going to buy a technology like this unless they’re going to be using it for malicious purposes. Or potentially, I guess you could be buying this technology so that you can fake-phish your employees and make sure that they’re not going to fall for real phishing scams. That actually is a thing and some companies will will hire a company to do this or they’ll contract with a company that has technologies like this in place that are specifically designed to test people, right? So I would rather trust a company that that’s their whole premise is testing your own employees rather than a company that kind of seems like, “Well, we’re mainly for phishing,” but I guess you could use it for fake-phishing too.
Kirk McElhearn 15:16
That’s what’s called a Red Team. It’s the team that comes in to test everyone to see if everything works. It’s usually not people inside a company, because people inside a company are used to just the way things work, and they wouldn’t see the mistakes and the weaknesses that the Red Team would. So this works with more abbreviations. In this article MFA is Achilles heel to TPS, a TOTP is a timed one time password. That’s the six digit code you get when you’re getting a second factor code, which, again, you can get from an authenticator app, but also via text message. So this is actually clever software. The reason we’re talking about it, because it provides a way to use a man in the middle attack to get codes that are sent to legitimate users, but then pass them on to the hackers, so they can access websites. Let’s go through this. And take it slow, because this does get a little bit complicated.
Josh Long 16:08
First of all, I should say that this is not brand new technology. It’s not that they just invented this, this has actually been around for many years, fishers have known how to pull off this kind of attack, it’s just that this is a system that automates it to make it really easy to pull off this kind of attack. So the basic idea is, starts out with a standard phishing link, somebody sends you a link, you click on the link, and then it prompts you for your username and password. You put those into the site, you know, if you’ve been tricked by the site, it may be the URL looks similar enough and or you just don’t notice that the URL is different. That is not actually the site that you intend to go to but just a lookalike. So you put in your username and password. And then if your account is set up with two factor authentication, or multi factor authentication, it will prompt you for a code. Now that might be text message to you through SMS. It might also be a multi factor authentication, using time based one time passwords like you were talking about which you can, you know, use Google Authenticator or Microsoft authenticator, or something like one password that has that built in even Apple’s keychain now has that built in as of a couple versions of iOS ago. So you get this code one way or another? And you have to put it into the website. Now, in theory, you know, a lot of people think, well, this is two factor, right? So that means that I’m putting in my password I’m putting in the code that I get. And that makes me safe. And I don’t need to worry about phishing sites. Well, the way this phishing site operates is it has a man in the middle. And so what it’s showing you is not just a standard phishing site, it’s showing you a clone of the real site. So you’re putting in your username and, and password into that. And then the proxy, the man in the middle, goes back to the target website, and provides what you provided to the phishing site. And then the real website now is asking for the multi-factor information. So the phishing site, the man in the middle, is presenting the same thing to you that the real site is presenting to them. So it’s just this one step in between. And so when you provide your two factor code, the to the phishing site, it passes that right along to the real website, and now the phishing site is logged in as you.
Kirk McElhearn 18:36
And what’s clever about this is this has to happen really quickly. If you’re using SMS based two-factor authentication, you usually have five or 10 minutes to enter the code, because sometimes the codes don’t come quickly. But when you’re using a timed one-time password, you generally have 30 seconds. Now, before the show, Josh said, there’s probably a little bit of margin if things aren’t entirely synced to let’s say, you have more than 30 seconds 35. But it has to go really quickly. So there has to be this sort of interface between the phishing site and the real site to get the code in quickly enough before it times out.
Josh Long 19:10
And I think that’s the whole reason behind making this an automated attack. Because it is certainly possible that an attacker could pull off something like this manually, but it would be very difficult to do, you could you could pull it off as a one by one attack. But this is much, much easier to do. If you’ve got software that’s just automating this whole thing and handling as many requests as you’re getting to your phishing website. So this is not a good thing. Now, we want to make sure at the same time that people don’t fear multi factor authentication and feel like well, what’s even the point? Because first of all, not every phishing website uses this kind of technology. It’s fairly rare, I would say at this point, and it’s much better to have that extra layer of protection. Remember that you’re all So protecting yourself from people who might try to break into your account if they happen to come across a password that might belong to you through a password dump or something like that. If somebody is trying to break into your account, don’t make it easier for them make it harder for them by enabling two factor authentication.
Kirk McElhearn 20:18
Microsoft claims that they’ve detected about a million malicious emails a day that are sent by this phishing kit “fishing kit”. What do you call when you got fishing gear? What do you call the bag with the fishing gear? When you’re doing proper fishing for fish, a tackle box, a tackle box, that’s what they should call this a tackle box. Yeah, so 1 million a day. And this is automated. So they can send out 1 million emails a day, obviously, through compromised computers and a botnet. Because you can’t just send all this through Google Gmail, or whatever. And what’s interesting is the whole process is automated. Now, what happens once they’ve gotten that information, they’ve gotten the username and the password, they’ve gotten into the account with the one time password, they don’t have a lot of time necessarily to access the account, do they? Do they have a computer that stays logged into the account? Or do they have an alarm that sets off and someone runs through a computer to start, you know, emptying bank accounts or whatever?
Josh Long 21:14
Yeah, that’s a good question. I guess it really depends on the site that you’re logging into, and how long they allow you to stay authenticated to that site. If it’s a banking site, usually those are very, very quick timeout periods. A number of other sites usually let you stay logged in for a pretty long period of time, it does vary depending on the site. But sometimes they’ll let you stay in almost indefinitely. For something like Facebook, for example.
Is it safe to use the “Keep me logged in” or “Trust this browser” option that many websites present?
Kirk McElhearn 21:42
When you see a site and you log in, and there’s a little checkbox keep me logged in or keep me signed in. Should you check that or not?
Josh Long 21:50
Well, in this particular scenario, if we’re talking about like a man in the middle, they’re going to check that box. So it doesn’t really even matter whether you check it in the in phishing example.
Kirk McElhearn 22:00
Right. I’m talking about in normal usage. Should we do that? Is it more secure to check that or not? Is it more secure to trust this browser, which some sites also ask?
Josh Long 22:11
Well, and see, that’s the problem that I have with it. So I personally don’t check that box, I prefer to leave it unchecked. Because I would rather be automatically signed out, then to have my browsing session, semi-permanently be logged into that site, because one of the problems that can come up is you may have if malware gets onto your system, of course, you know, if malware gets on your system, they can do all sorts of things, but one of the many things that they can do is they can steal those cookies, because what it’s actually doing is when you check that box, it’s setting a cookie in your browser, that is a stay logged in cookie. And so if some malware comes along, or somebody else is accessing your computer remotely, they can just steal those cookies from your computer and put them on another computer and now be logged in as you and that’s not something that you want.
Kirk McElhearn 23:04
So that’s interesting that cookie is the equivalent of your username, password and second factor in authentication.
Josh Long 23:11
Right, right. Yeah. So this is exactly why I feel like people should be aware of that stay logged in checkbox and why I don’t use it.
Kirk McElhearn 23:20
Even if it’s not stay logged in though the cookie that’s indicating that you’re logged in. If anyone can get that there you that seems to be a serious weakness then, and I know we’ve talked about vulnerabilities where malicious software can access cookies. But that seems to be quite serious that it’s as simple as a cookie, as opposed to the username, password, and second factor.
Josh Long 23:43
I don’t know if you remember this, Kirk. But way back in 2010, there was a Firefox extension that was called Firesheep. Sheep like the animal, Firesheep. And this extension was revealed at a security conference. And the person who came up with this idea, put this out there and made this publicly available. And what this extension would do is if you as a user of Firefox with this Firesheep extension installed, were to join a public Wi Fi network that did not require a password to log into it. So for example, at the local coffee shop, or wherever, all you had to do is open up your browser and load this extension. And now you would be able to log in as anybody else in that cafe. Just because it’s stole those cookies over the network and allowed you to log in as those people now, the way this was mitigated, websites started using HTTPS for the entire browsing session rather than just the login, specifically because of Firesheep. Basically, this was the creator of Fire sheep’s way of taking a known problem and forcing websites to have to implement HTTPS. And that’s why we have HTTPS all throughout the entire browsing session on just about every website today is specifically because of Firesheep. And the ease of logging in as somebody else if you can grab their cookies.
Kirk McElhearn 25:17
That’s interesting. It’s true that we talk about cookies most as tracking, for ads and all that. But we don’t think about what cookies actually do in the background. And you know that if you delete cookies for a website, you will lose your settings for the display, things like that. But we don’t realize that it is a persistent login sign. And are there often vulnerabilities that steal cookies or malware that tried to steal cookies?
Josh Long 25:42
It does happen from time to time, yeah. I mean, again, once malware is on your system, it can do all sorts of other things. You can keystroke log and things like that so it can get your password. And that’s a little bit easier for an attacker to use. Sometimes, especially if you’re not using two-factor authentication. It’s very easy for an attacker to use your password again whenever they want, rather than have to have a cookie that’s going to expire after a period of time.
Kirk McElhearn 26:07
Okay, that’s enough for this week. Next week, we’re going to talk about Microsoft presentation of AI which is taking place on Thursday, March 16, the day this podcast is being released, and we’re going to talk about how Microsoft is planning to include AI in all of its Office apps. Until next week, Josh, stay secure.
Josh Long 26:24
All right, stay secure.
Voice Over 26:27
Thanks for listening to the Intego Mac Podcast, the voice of Mac security, with your hosts Kirk McElhearn and Josh Long. To get every weekly episode, be sure to follow us on Apple Podcasts, or subscribe in your favorite podcast app. And, if you can, leave a rating, a like, or a review. Links to topics and information mentioned in the podcast can be found in the show notes for the episode at podcast.intego.com. The Intego website is also where to find details on the full line of Intego security and utility software: intego.com.
If you like the Intego Mac Podcast podcast, be sure to rate and review it on Apple Podcasts.
Have a question? Ask us! Contact Intego via email if you have any questions you want to hear discussed on the podcast, or to provide feedback and ideas for upcoming podcast episodes.