Mamba 2FA increases phishing threats

Phishing remains an unabated threat to organizations. The new Mamba 2FA threat has recently made several organizations a victim, including the police. Peter LaHousse explains what this new form of phishing means: “Mamba 2FA is a phishing-as-a-service platform that specifically focuses on circumventing two-factor authentication (2FA) with Microsoft 365 accounts. In doing so, attackers have found a new way to intercept not only login details, but also 2FA tokens. This allows attackers to access sensitive information even when 2FA is enabled.”

‍

“We have banned phishing tests. They are not effective and that has been scientifically proven. “- Jeroen Schipper - CISO Municipality of The Hague

‍

Phishing tests, useful or pointless?

Protection against phishing therefore remains crucial. Many organizations carry out periodic phishing tests and train employees to recognize phishing. In particular, the effectiveness of phishing tests is increasingly being questioned. You never completely eliminate the chance that someone will accidentally click on a link, which makes an organization vulnerable to hacks. That's what Jeroen Schipper, CISO of the Municipality of The Hague, also thinks, who says the following about it: “We've banned phishing tests. They are not effective and that has been scientifically proven.” His statement sparked debate and echoes from fellow CISOs who believe that phishing tests can indeed be useful. Among other things, to develop an overall level of alertness and to ensure that employees get used to always reporting suspicious situations such as phishing to the CISO.

‍

“We need to design security controls that are intuitive and make it easy for people to do the right thing” - Jan Martijn Broekhof - Guardian360 General Manager

‍

Cybersecurity UX as a solution: allowing users to act cyber safely automatically

Guardian360's Jan Martijn Broekhof is also increasingly questioning the effectiveness of awareness. He goes one step further. “The traditional idea that security awareness is the key to protecting companies is coming under increasing pressure. Instead of simply training people as “human firewalls,” we need to realize that security issues don't disappear through awareness alone.” Jan Martijn calls for Cybersecurity UX (User Experience) as a solution: “We need to design security controls that are intuitive and make it easy for people to do the right thing without consciously thinking about their choices. One such example is the concept of “guardrails” and “paved roads”, as introduced by Jason Chan, former VP of Security at Netflix. Guardrails are automated security controls that help users stay safe without disrupting their work. Paved roads provide the safest and most efficient route for users, making them less likely to deviate from safe practices.”

‍

“On a login page, the MindYourPass password manager only enters your password if this is the real login page with the correct URL!” - Merijn de Jonge - CEO of MindYourPass

‍

Phishing-proof passwords: Cybersecurity UX applied by MindYourPass

At MindYourPass, we understand Jeroen Schipper's point of view and embrace the vision of Jan Martijn Broekhof and Jason Chan. The technology must be so smart that it protects people from making a mistake. Also known as Poke Yoke. And that's exactly what MindYourPass does. A phishing email tempts you to enter your login details on a fake login page. Do you do that? Then the hacker runs off with your login details and can log into the real site under your name.

Merijn de Jonge, founder of MindYourPass, explains how it works: “MindYourPass can't prevent you from unintentionally ending up on a fake page. But MindYourPass does prevent you from entering your username and password here. On a login page, the MindYourPass password manager only enters your password if this is the real login page with the correct associated web URL! Is the login page fake? Then this page contains a different web URL. In that case, MindYourPass will not fill in your login details.”

This way, you, as a user, are protected against phishing of your login details and thus also against the latest Mamba 2FA cyber threat!

‍

Sources:

https://www.ccinfo.nl/cybercrime/phishing/2089754_mamba-2fa-een-nieuwe-dreiging-voor-microsoft-365-accounts-en-hoe-je-je-kunt-beschermen

https://datanews.knack.be/nieuws/jeroen-schipper-ciso-den-haag-zodra-iemand-een-phishingmail-ontvangt-hebben-alle-miljoenenkostende-maatregelen-gefaald/

https://www.linkedin.com/pulse/beveiligingsbewustzijn-zal-ons-niet-redden-tijd-voor-een-jan-martijn-jauae/?trackingId=PRrWWqVk2l0aHl9Lvx9HKw%3D%3D

‍