As 2FA increased in popularity as the default security feature for most organizations, websites, and applications, so has the technology that cybercriminals use to bypass it. A group of academic researchers said they found 1,200 phishing toolkits in the wild that are capable of intercepting and allowing cybercriminals to bypass 2FA security codes.
Threat actors have used a variety of methods to capture users’ credentials and then bypass 2FA from deploying “infostealer” malware, to real-time and Man-in-the-Middle phishing techniques.
For years real-time-phishing has been the primary tool for collecting a user's information and gaining access to targeted accounts. This requires that an attacker monitor a web device while the targeted user interacts with a phishing site. While the actual account user is navigating the phishing site, the attacker monitoring that interaction prompts the user for a 2FA challenge and collects the information in real-time. The legitimate 2FA token is then entered on the real site by the attacker, creating a legitimate connection between the attacker's device and the victim's account. Real-time phishing tools are most commonly used to gain access to banking portals where users typically spend a limited amount of time and every login requires re-authentication.
Another way that attacks bypass 2FA is by deploying malware known as “infostealer” which steals authentication cookie files from any device that they are able to infect. This specific strategy is often used to target email, social media, and gaming accounts which often have more lenient rules when it comes to user login sessions. Many of these services create authentication cookies that can be valid for years, leaving accounts severely vulnerable to being breached.
Man-in-the-Middle phishing toolkits are one of the most recent evolutions of 2FA phishing tools. MitM toolkits function similarly to real-time phishing toolkits but do not need a human operator since everything is automated through a reverse proxy. Last month academics from Stony Brook University worked with security firm Palo Alto Networks and together analyzed 13 versions of three MitM toolkits. They created a tool called PHOC that can detect if a website is using a reverse proxy, and found that over 1,000 phishing sites were using this new technology.
As 2FA continues to be the most widely adopted security measure, MitM phishing toolkits will continue to increase in popularity amongst cybercriminals and will become more accessible to those determined to use them. Most are free to download, simple to deploy, and tutorials on how to gain familiarity with this technology are quite easy to find. This means that now more than ever it is essential that organizations are investing time and money in security infrastructure that will reduce the likelihood of falling victim to these phishing attacks, and continue to be diligent in developing and nurturing a security-first culture. Integrating a phishing-proof MFA such as Twosense into the organization's security posture is one proactive way companies can protect themselves from these attacks.