30% of attacks against websites that use two-factor authentication are now utilizing real-time man-in-the-middle techniques to bypass this trusted security mechanism, according to Trusteer. These findings are based on monitoring of thousands of phishing attacks.
According to Mickey Boodaei, Trusteer’s CEO, in a real time phishing attack the user enters details onto a phishing website which captures the banking credentials and authentication information. The stolen credentials are then immediately used to open a session on the real bank website to commit a fraud.
Authentication information typically captured and used by criminals in real time phishing include: One Time Passwords (OTP), tokens, SMS authentication; card and readers – rendering them ineffective against this type of attack.
Most phishing attacks to date have been completely static. In traditional phishing attacks the victim reaches a phishing website, submits login credentials, and these credentials are stored for later use by e-criminals. The introduction of strong two-factor authentication systems, especially one time passwords, rendered these attacks useless as fraudsters could not use static stolen credentials to commit fraud. With strong two factor authentication the user is required to provide a OTP as part of the login process.
There are many OTP approaches, some of them are based on token devices that users carry along with them, others are sent to the user’s phone as an SMS text or voice call each time the user tries to log on. OTP’s are limited in time.
Even if the fraudsters managed to capture OTP data there is only a short period of time in which this data can be used. For some time, websites that used strong two-factor authentication reported a significant drop in phishing attacks. The e-criminals, however, have not given up.
“Recently we noticed an increase, on 3 different continents, of a type of attack called man-in-the-middle phishing or, real-time phishing. This tactic allows fraudsters to completely bypass two-factor authentication. The concept is not a new one and is well known in the security world; however, up until now, we haven’t seen too many attacks like this. The recent escalation of websites now experiencing this type of attack is a cause for immediate concern,” said Boodaei.
In a man-in-the-middle attack the phishing website is connected, in real-time, to the bank website. The credentials that the user submits to the phishing site, including OTPs, are stolen and used immediately by the fraudsters to initiate a fraudulent session with the bank website. It doesn’t matter if the website is using a dedicated OTP token, SMS authentication, card and reader, or any other type of two-factor authentication.
At first glance, real-time phishing seems just like any other phishing attack. On closer examination of the malicious website, however, one can determine that it is, in fact, connected in real-time to the bank. This enables any information submitted to the fake web page to be immediately posted to the bank website.
Many organizations that used strong two-factor authentication were dismissive of phishing attacks as they assumed that they were incapable of bypassing their security controls. This is no longer the case. Using phishing kits with real-time capabilities fraudsters have improved their operations to conduct fraud in real-time.
“With real-time phishing, OTPs are becoming useless. There is no update or improvement to OTP that can defeat real time phishing. The best form of defence is to implement dynamic layers of security, including browsing security, that can adapt to and block new threats,” said Boodaei.