Note: This article is only a brief description of two current methods used by attackers. It emphasizes the importance of using MFA methods for login. It is intended for regular users.
Phishing - let's not get caught
Phishing is unfortunately still one of the most common ways attackers try to gain access to our accounts or sensitive data. This applies not only to work but also to our privacy - we certainly don't want anyone to access our internet banking. It typically arrives via email or SMS message that appears to be from a trusted sender. The goal is to make us click on a malicious link or open an attachment. Their quality today can be truly perfect.
Note: Let's not confuse Phishing and Spam. Spam is unsolicited advertising, Phishing is an attempt at fraud.
How can a Phishing attack work?
We receive an email with a link to a fake page that looks like a real one (e.g., a login page). If we enter our credentials there, the attacker immediately uses them to log into the actual service. Sometimes the page even redirects us to the real website or displays an error, and we don't notice anything.
This way, the attacker obtains login credentials or the currently logged-in session. This is known as a Man-in-the-middle attack. Even multi-factor authentication (MFA) won't protect us unless it's phishing-resistant. The attacker logs in on our behalf, so we end up confirming their login attempt through MFA.
When working with email, we must be careful
- don't click on suspicious links or attachments (don't rush and think first)
- check the sender's address - does it look trustworthy?
- don't send sensitive information via email
- use antivirus protection
- in corporate environments, report suspicious emails, and when in doubt, contact the IT department
How to identify a dangerous email
- too good to be true - a very advantageous offer, such as winning a lottery, inheritance, or free goods
- sense of urgency - an attempt to force the user to act without thinking; if the email states that we must respond within minutes (for example, to prevent account deletion), it's suspicious
- links - if the text contains a link, but hovering over it shows it leads somewhere else (to another domain), it might be suspicious; if you receive information that you need to check some details (for example) in internet banking and there's a link, you shouldn't use it but open the bank's website manually
- attachments - if the email contains an unexpected or nonsensical attachment, it's better not to open it (the file type may not be recognizable at first glance), or first save it and perform an antivirus check
- sender - unexpected sender (or the entire message), unknown person, or a known person but with the name listed strangely - all of these should lead to increased attention
- request for sensitive information - no reputable organization will request sensitive information via email (such as card numbers, banking passwords)
- suspicious domain - the domain in the sender's address or in the link may look official, but if there's a mistake in the details - a typo (such as microsof.com instead of microsoft.com) or a suspicious TLD extension (like .cn instead of the expected .cz), it's a clear sign of phishing
- poor grammar - previously, harmful emails were often generated or translated from another language into Czech, so they contained many errors and generally poor Czech; recently, even dangerous messages are often written in good Czech
Infostealer - the silent data thief
More and more people are protecting themselves with MFA. Attackers are looking for ways other than stealing or cracking passwords. One of these is called Infostealers. This is malicious software, similar to a keylogger, which sends everything we type to the attacker. An Infostealer collects sensitive information from our computer (access credentials, cookies, documents, or browser content) and sends it to the attacker. Infostealer malware has been around for a long time, but in recent years it has begun to be used in the way described below.
How does an attacker gain access to our account?
When logging into a service, an authentication cookie is created and stored in the browser so we don't have to verify ourselves repeatedly. An Infostealer can steal these cookies and send them to the attacker. The attacker inserts the stolen cookie into their browser. The server only verifies the validity of the cookie (which can last hours, days, or longer), so the attacker becomes a logged-in user (under our account).
MFA is bypassed because it was used when obtaining the cookies. In some cases, the attacker may add their own verification method to our account. This attack is known as Pass-the-Cookie.
How does an Infostealer reach us?
- Infostealer often spreads through Phishing emails (as an attachment).
- Through fraudulent websites with malware (these may be targeted by ads on Google, Facebook).
- Recently, attackers have been trying to get it into internet browsers. This can happen with the installation of some publicly available add-on / extension.
What to watch out for
- which websites we visit
- which links we click on
- which software we install on our computer (not just entire applications, but also add-ons, etc.)
Password is not enough - let's log in more securely
We must secure account logins as much as possible. Ideally, each service should have a different strong password (these can be stored in a verified password manager). But it's even better not to use just a password (or no password at all), but to enable multi-factor authentication (MFA - Multi-Factor Authentication). Someone might guess, intercept, or crack a password.
MFA verification methods
There are several MFA methods, but not all are equally secure. It's always better to use some MFA method than none at all.
- code via SMS - no longer strongly recommended, easily exploitable
- OATH Token - verification code that regularly changes in an app, a better choice, but still not ideal
- passwordless login (Phone Sign-in) - for Microsoft accounts, we can use this method within Microsoft Authenticator
The best MFA methods are those designated as phishing-resistant MFA. They check the address where we're logging in and don't allow use on a spoofed site. These include:
- FIDO2 security key
- Windows Hello for Business
- certificate-based authentication
Personally, I recommend using (if possible) Windows Hello for Business, which is simple and secure. It works with Passkeys, just like a FIDO2 security key. Microsoft within Entra ID already fully supports Passkeys in the Microsoft Authenticator application.
Note: Under certain conditions, we can use MFA even for logging in via RDP to a company computer - Remote Desktop - connecting to a remote desktop.
díky za pěkný článek, nejsem si jist jestli je užitečné v článku pro běžné uživatele doporučovat "Windows Hello for Business".
taky si myslím, že by bylo vhodné některé použité termíny vysvětlit, protože přirovnání infostealeru ke keyloggeru mi připadne neužitečné, bez vysvětlení, co je keylogger.
ale i tak považuji článek za velmi užitečný, protože mne donutil zamyslet se co mám případně špatně v prostředí pro osobní použití. :)
respond to [1]Michal ZOBEC: Díky. Ten článek jsem psal do firmy a chtěl jsem tam dát informaci, že na stejné věci je potřeba dávat pozor i doma. Snažil jsem se jej udělat co nejkratší (delší věci lidé vůbec nečtou) a nedávat tam moc technických věcí. Navíc to navazuje na jiné informace, které jsem dříve psal. Rozhodl jsem se to dát na svůj web, kde jsem to upravil a rozšířil, ale pořád jsem to chtěl udržet stručné.
Já používám doma Windows Hello, které je sice méně bezpečné než Windows Hello for Business, ale myslím, že pořád lepší, než řada jiných metod. Ale celkově to bylo zaměřeno na firemní účty.
Pořád mi přijde nej používat více fyzických zařízení. A vyhýbat se Windows a cloudu co to jde. Ohledně mailu i jiné podezřelé aktivity sledovat zdrojový kód, překopírovat text z mailu a ten řešit. Občas zapnout wireshark nebo proxy a sledovat co tam běhá.