Level 2, 26-28 Market Street, Sydney NSW 2000

Dashboard

Link source
https://apple.news/A2RJ0OlIGQFW4ny3kEBJ93A

Fake one-time passwords the latest scam to hit corporate phones

27 AUGUST 2024 | Joseph Lam (The Australian)

A layer of security often promoted as the key to preventing hackers from accessing accounts is now the next major target, ­disrupting the cybersecurity ­industry.
One-time passwords, which are often sent to a device via text message and require the user to enter them into an application before logging in, have become a hunting ground for threat actors.
One campaign targeting Android devices has attacked workers at more than 600 global brands, with 107,000 unique malware applications found to be ­deceptively retrieving one-time passwords from devices and ­relaying them to hackers, researchers at cybersecurity firm Zimperium have found.
The malware has been detected in 113 countries including Australia, but Russia and India have been identified as the primary targets.
One-time passwords are a form of multi-factor authentication that requires a user to confirm they own or have access to the account they are logging into using more than just the username and password.
Over the past few years, more organisations have moved to use multi-factor authentication as an added layer of security. The new malware campaigns were particularly concerning as some organisations saw one-time pass­words and multi-factor authenti­cation more broadly as the be-all and end-all of cybersecurity.
Zimperium senior engineer Jason Salway said attacks targeting SMSs had been happening for well over a decade, but what was new was the specific interest in one-time passwords. “Even though we’ve been tracking these particular attacks for the last two years, this is by no means a new kind of attack,” he said. “Threat actors have known for a very long time that if you can get access to someone’s SMSs or one-time pin generating apps, they can get deeper into an organisation.”
Zimperium said many scammers had successfully convinced victims to download mal­icious software through posing as legitimate businesses, advertising and Telegram bots, about 2600 of which have been linked to mal­icious campaigns. Another method involves sending Android Package Kits to a user’s mobile number that have been altered to include malicious software that’s often hard to detect by a device’s security system.
Zimperium’s enterprise and government regional sales manager, Simon Scaife, said workers who used their personal devices for work were often more at risk.
news.com.au

Get Updates And Stay Connected -Subscribe To Our Newsletter

ACKNOWLEDGMENT OF COUNTRY

We acknowledge the Traditional Custodians of the lands where we work and live. We celebrate the diversity of Aboriginal peoples and their ongoing cultures and connections to the lands and waters of lands where our campuses are situated. We pay our respects to Elders past, present and emerging.

Contact Information

  • Phone: 1800 980 423
  • Mail: learn@csoc.academy
  • HQ: Level 2, 26-28 Market Street,
    Sydney NSW 2000
  • Click the Chat button below to speak with one of our course advisers.

QUICK LINKS

(C) Copyright 2024, CSOC Academy. All rights reserved.

arrow