GoDaddy, an internet domain registrar and web hosting company, recently disclosed that they experienced three cyber attacks in the past three years. Through these attacks, hackers stole GoDaddy source code, employee login info, and sensitive customer account data. They also installed malware on GoDaddy’s servers, which compromised customers’ websites.
One of the methods the attackers used to infiltrate GoDaddy’s systems was Voice Phishing, or “Vishing.” This is an emerging social engineering tactic hackers use to circumvent a company’s Multi-factor Authentication security measures.
How Hackers Use Vishing to Get Around Multi-factor Authentication
Multi-factor authentication (MFA) is a common safeguard companies use to prevent security breaches. With MFA, employees must verify their identity using a combination of methods. For instance, in addition to providing their username and password to log into an account, they may also need a single-use code that’s sent as a text message or generated by an authenticator app. MFA stymies a lot of hacking attempts because even if someone obtains an employee’s password, it’s unlikely they’ll also have access to the employee’s phone or authenticator app to retrieve the necessary single-use code.
Unfortunately, with “vishing,” hackers can get around MFA security measures by tricking an employee to willingly share the single-use code. Often this looks like an attacker calling an employee over the phone, and posing as the company’s IT personnel. They may send the employee a spoofed, yet legitimate-looking, website that asks the employee to enter their login details and one-time code. A second attacker takes that information and uses it to infiltrate the company’s systems. Once the attackers have the credentials they need, they pull down the spoofed site.
Universal 2nd Factor Devices Can Prevent Vishing
Universal 2nd Factor (U2F) is one MFA option that isn’t vulnerable to vishing attempts. Instead of manually entering a one-time code, employees use a small device that plugs into their computer’s USB port to trigger a digital security key. According to KrebsonSecruity, with U2F devices, “even if an employee who has enrolled a security key for authentication tries to log in at an impostor site, the company’s systems simply refuse to request the security key if the user isn’t on their employer’s legitimate website, and the login attempt fails.”
Read on to learn more about how attackers used vishing to compromise GoDaddy’s systems and how U2F devices can help prevent these kinds of attacks.
All Businesses Must Proactively Protect Themselves
When it comes to cyber security, the rules of the game are constantly changing and evolving. Hackers relentlessly adapt their methods and approaches in an effort to breach companies’ systems.
Deborah Dioguardi, Jencap Professional Lines National Practice Leader and cyber insurance expert explains: “Vishing is just another way cyber criminals exploit companies to gain a profit. Although companies are doubling down on security measures, cyber criminals will keep finding ways around them. No matter their company’s size, business owners need to realize they are not immune to a phishing attack.”
“Companies can be proactive by hiring internal specialists or partnering with firms that are well versed in cyber security,” says Dioguardi. “It’s vital to educate employees on how to identify different types of phishing attacks, and what to do if they suspect a phishing attempt.”
At Jencap, our expert brokers keep an eye on emerging cyber security insurance trends, so you and your clients can guard against cyber attacks and recover in the event of a breach. Contact Jencap today to speak to one of our cyber experts.