searchtwitterarrow rightmail strokearrow leftmail solidfacebooklinkedinplusangle upmagazine plus
Help Net Security - Daily information security news with a focus on enterprise security.
Help Net Security - Daily information security news with a focus on enterprise security.
  • News
  • Features
  • Expert analysis
  • Videos
  • Reviews
  • Events
  • Whitepapers
  • Industry news
  • Product showcase
  • Newsletters
Zeljka Zorz
Zeljka Zorz, Editor-in-Chief, Help Net Security
February 4, 2022
Share

Phishing kits that bypass MFA protection are growing in popularity

The increased use of multi-factor authentication (MFA) has pushed developers of phishing kits to come up with ways to bypass that added account protection measure.

A current popular solution? Phishing kits that use a transparent reverse proxy to present the actual target website to the victim and allow attackers to capture the username and password entered by the victims AND the session cookie.

Phishing kits bypass MFA

Phishing kits to bypass MFA protection

Proofpoint researchers have flagged three such phishing kits: Modlishka, Muraena/Necrobrowser, and Evilginx2.

Using them couldn’t be simpler: They are installed on a server controlled by the attacker, and the reverse proxy – an application that “sits” in front of the server and forwards browser requests to it and vice versa – fetches and delivers the legitimate login page to the victim. Simultaneously, the attacker sniffs the traffic passing through the proxy to extract the login credentials and the session cookie from the captured session.

“The session cookie can then be used by the threat actor to gain access to the targeted account without the need for a username, password, or MFA token,” the researchers explained.

Each of the those phishing kits has its specificities.

Muraena/Necrobrowser, for example, is a combination of a proxy (Muraena) and a headless browser (Necrobrowser) that can immediately use the captured session cookies to log into the target site wreak havoc: change the account password, dump emails, disable Google Workspace notifications, change SSH session keys in GitHub, and download all code repositories. (Phishers are, generally, after more than just email accounts – they also target online banking accounts, GitHub accounts, social media accounts, and so on).

The researchers predict that these and other similar phishing kits will become more popular as the time passes, spurred by the increasing adoption of MFA and the fact that phishing pages using a transparent reverse proxy to MitM credentials are more likely to remain unblocked for a longer time than “regular” phishing pages.

Citing recent research results by researchers from Stony Brook University and Palo Alto Networks, Proofpoint pointed out that standard phishing sites had a lifespan of just under 24 hours while MitM phishing sites last longer, and that a non-negligible percentage (15%) of the latter have been found to last more that 20 days.

More about
  • account hijacking
  • cybercrime
  • cybersecurity
  • MFA
  • phishing
  • Proofpoint
Share this

Featured news

  • Exchange Online will soon start blocking emails from old, vulnerable on-prem servers
  • Apple backports fix for exploited WebKit bug to older iPhones, iPads (CVE-2023-23529)
  • What you need before the next vulnerability hits
How to protect online privacy in the age of pixel trackers

Sponsored

Webinar: Tips from MSSPs to MSSPs – starting a vCISO practice

Security in the cloud with more automation

CISOs struggle with stress and limited resources

How to scale cybersecurity for your business

Don't miss

Exchange Online will soon start blocking emails from old, vulnerable on-prem servers

Apple backports fix for exploited WebKit bug to older iPhones, iPads (CVE-2023-23529)

Europol details ChatGPT’s potential for criminal abuse

What you need before the next vulnerability hits

Running a security program before your first security hire

Cybersecurity news
Help Net Security - Daily information security news with a focus on enterprise security.
© Copyright 1998-2023 by Help Net Security
Read our privacy policy | About us | Advertise
Follow us