Researchers at Cisco Talos warn that major phishing kits continue to incorporate features that allow them to bypass multi-factor authentication (MFA).
Commodity phishing kits like Tycoon 2FA and Evilproxy achieve this by using reverse proxies to intercept traffic from the authentication process during a phishing attack.
“A reverse proxy functions as an intermediary server, accepting requests from the client before forwarding them on to the actual web servers to which the client wishes to connect,” the researchers write. “To bypass MFA the attacker sets up a reverse proxy and sends out phishing messages as normal.
When the victim connects to the attacker’s reverse proxy, the attacker forwards the victim’s traffic onwards to the real site. From the perspective of the victim, the site they have connected to looks authentic — and it is! The victim is interacting with the legitimate website. The only difference perceptible to the victim is the location of the site in the web browser’s address bar.”
If a user falls for the phishing attack, the attacker can steal their credentials and the authentication cookie needed to log in to the targeted site.
“By inserting themselves in the middle of this client-server communication the attacker is able to intercept the username and password as it is sent from the victim to the legitimate site,” the researchers explain. “This completes the first stage of the attack and triggers an MFA request sent back to the victim from the legitimate site.
When the expected MFA request is received and approved, an authentication cookie is returned to the victim through the attacker’s proxy server where it is intercepted by the attacker. The attacker now possesses both the victim’s username/password as well as an authentication cookie from the legitimate site.”
Talos notes that commodity phishing kits allow unskilled threat actors to easily launch these attacks.
“Thanks to turnkey Phishing-as-a-Service (Phaas) toolkits, almost anyone can conduct these types of phishing attacks without knowing much about what is happening under the hood,” the researchers write. “Toolkits such as Tycoon 2FA, Rockstar 2FA, Evilproxy, Greatness, Mamba 2FA, and more have emerged in this space. Over time the developers behind some of these kits have added features to make them easier to use and harder to detect.”
While multi-factor authentication is still an important layer of defense, users should be aware that it isn’t foolproof. KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.
Cisco Talos has the story.
New-school Security Awareness Training is critical to enabling you and your IT staff to connect with users and help them make the right security decisions all of the time. This isn't a one and done deal, continuous training and simulated phishing are both needed to mobilize users as your last line of defense. Request your one-on-one demo of KnowBe4's security awareness training and simulated phishing platform and see how easy it can be!
