Theft Protection Association, SSF, warns of a new phishing campaign.
Via Google ads that lead to fake pages, people’s passwords are stolen – and it is not possible to protect yourself with two-factor authentication.
– It is undoubtedly the best phishing campaign I have ever been a part of, says Karl Emil Nikka, IT security specialist at SSF, in a press release.
SSF has noted new types of attacks since the beginning of December, which mainly target businesses. Attackers use ads on Google to trick employees into logging into fake websites, where passwords and usernames are stolen. During Saturday, it was discovered that the fraudsters also translated the login page into Swedish.
– This phishing campaign is undoubtedly the best phishing campaign I have ever been part of, but it is basically just an example of a trend, says Karl Emil Nikka, IT security specialist, in a press release from SSF.
Worrying trend
SFF believes that the campaign is worrying, as it does not require the victim to use two-factor authentication, something that employers often encourage employees to use to protect themselves. Karl Emil Nikka believes that this is a clear trend that we will see more of in the future.
– Sophisticated phishing attacks that bypass two-factor authentication are becoming more common. In such attacks, the most common methods of two-factor authentication do not protect.
This is how you protect yourself
SFF points out that search engine ads have a flaw, because a completely different domain can be displayed than the one the ad actually leads to. But there is a way to protect yourself.
– The deficiency persists even though it has been known for several years. Both we and the American FBI therefore recommend hiding all ads similar to search results, says Karl Emil Nikka.
You can also, both as a private person and a company, use phishing-resistant login methods, such as physical security keys and so-called “password keys”.