It was only a matter of time. While multifactor authentication (MFA) makes logging into systems safer, it doesn’t make it “safe.” As well-known hacker Kevin Mitnick of KnownBe4, showed in 2018 it’s easy to trick a user into giving up his MFA token for a given site. But now automation kits have come to MFA attacks.
Cybersecurity company Proofpoint has found phishing kits adding MFA bypassing attacks to their features. These rely on a transparent reverse proxy. Typically transparent reverse proxies, such as the open source Squid Transparent Proxy Server are used for content filtering or to monitor employee web activities on a business Internet connection. In these kits, however, the same technology is used to run local man-in-the-middle (MitM) attacks to steal credentials and session cookies.
Why go to this trouble? Because, as an MFA company Duo‘s recent study found these days 78% of users now use MFA, compared to just 28% in 2017. That’s good news, but it’s also given cybercrooks the incentive they needed to target MFA.
A Range of Kits
To make it easy for wannabe hackers. Proofpoint found today’s phishing kits range from “simple open-source kits with human-readable code and no-frills functionality to sophisticated kits utilizing numerous layers of obfuscation and built-in modules that allow for stealing usernames, passwords, MFA tokens, social security numbers, and credit card numbers.”
How? By sending phishing emails with links to a fake target website, like a login page, to naive users. That, of course, is old news. Hackers have been using that technique for ages. What this “new kind of kit” brings to the table is a malware-planted MitM transparent reverse proxy. With this residing on the target’s PC, it intercepts all the traffic including their credentials and session cookies even if the connection is to the real site. The session cookies include the MFA codes even if they’re from a highly secure MFA.
One such program, Modlishka, already automates these attacks. Polish security researcher Piotr Duszyński, said of it, “With the right reverse proxy targeting your domain over an encrypted, browser-trusted, communication channel one can really have serious difficulties in noticing that something was seriously wrong.” He added, it’s “sort of a game-changer since it can be used as a ‘point and click’ proxy, that allows easy phishing campaign automation with the full support of the 2FA.: The only exception is FIDO Universal 2nd Factor (U2F) protocol-based tokens.
Just an Illusion?
Adding insult to injury, Proofpoint claims this new approach makes these kits more effective. That’s because “modern web pages are dynamic and change frequently. Therefore, presenting the actual site instead of a facsimile greatly enhances the illusion an individual is logging in safely.”
There are currently three major MFA phishing kits. These are Modlishka, Muraena/Necrobrowser, and Evilginx2. Each has different capabilities for slightly different purposes. All of them were also, in theory, created for legal purposes, such as penetration testing. Of course, now they’re all used more for hacking than testing.
What can you do? Using hardened MFM technologies such as FIDO U2F can help as can hardware-based MFA security devices such as Yubico’s YubiKey and Google’s Titan Security Key. In the long run, zero trust will be tomorrow’s personal authentication method of choice, but we’re not there yet.
Featured image via Pixabay.