Traditional phishing attacks that most people are familiar with consist of fake login pages hosted on attacker-controlled web servers and served from custom domains whose names are similar to those of the targeted websites. However, such static attacks are not effective against online services that use two-factor authentication, because there is no interaction with the legitimate websites to trigger the generation of one-time-use codes.