searchtwitterarrow rightmail strokearrow leftmail solidfacebooklinkedinplusangle upmagazine plus
Help Net Security - Daily information security news with a focus on enterprise security.
  • News
  • Features
  • Expert analysis
  • Videos
  • Reviews
  • Events
  • Reports
  • Whitepapers
  • Industry news
  • Product showcase
  • Newsletters
  • (IN)SECURE Magazine
Zeljka Zorz
Zeljka Zorz, Editor-in-Chief, Help Net Security
February 4, 2022
Share

Phishing kits that bypass MFA protection are growing in popularity

The increased use of multi-factor authentication (MFA) has pushed developers of phishing kits to come up with ways to bypass that added account protection measure.

A current popular solution? Phishing kits that use a transparent reverse proxy to present the actual target website to the victim and allow attackers to capture the username and password entered by the victims AND the session cookie.

Phishing kits bypass MFA

Phishing kits to bypass MFA protection

Proofpoint researchers have flagged three such phishing kits: Modlishka, Muraena/Necrobrowser, and Evilginx2.

Using them couldn’t be simpler: They are installed on a server controlled by the attacker, and the reverse proxy – an application that “sits” in front of the server and forwards browser requests to it and vice versa – fetches and delivers the legitimate login page to the victim. Simultaneously, the attacker sniffs the traffic passing through the proxy to extract the login credentials and the session cookie from the captured session.

“The session cookie can then be used by the threat actor to gain access to the targeted account without the need for a username, password, or MFA token,” the researchers explained.

Each of the those phishing kits has its specificities.

Muraena/Necrobrowser, for example, is a combination of a proxy (Muraena) and a headless browser (Necrobrowser) that can immediately use the captured session cookies to log into the target site wreak havoc: change the account password, dump emails, disable Google Workspace notifications, change SSH session keys in GitHub, and download all code repositories. (Phishers are, generally, after more than just email accounts – they also target online banking accounts, GitHub accounts, social media accounts, and so on).

The researchers predict that these and other similar phishing kits will become more popular as the time passes, spurred by the increasing adoption of MFA and the fact that phishing pages using a transparent reverse proxy to MitM credentials are more likely to remain unblocked for a longer time than “regular” phishing pages.

Citing recent research results by researchers from Stony Brook University and Palo Alto Networks, Proofpoint pointed out that standard phishing sites had a lifespan of just under 24 hours while MitM phishing sites last longer, and that a non-negligible percentage (15%) of the latter have been found to last more that 20 days.




More about
  • account hijacking
  • cybercrime
  • cybersecurity
  • MFA
  • phishing
  • Proofpoint
Share this

Featured news

  • iPaaS: The latest enterprise cybersecurity risk?
  • Conti effectively created an extortion-oriented IT company, says Group-IB
  • Inside a large-scale phishing campaign targeting millions of Facebook users
Webinar: What’s trending in email security?

What's new

Week in review: Log4Shell exploitation, DevSecOps myths, 56 vulnerabilities impacting OT devices

New infosec products of the week: June 24, 2022

Attackers still exploit Log4Shell on VMware Horizon servers, CISA warns

How companies are prioritizing infosec and compliance

Don't miss

Attackers still exploit Log4Shell on VMware Horizon servers, CISA warns

iPaaS: The latest enterprise cybersecurity risk?

Conti effectively created an extortion-oriented IT company, says Group-IB

Automotive hose manufacturer hit by ransomware, shuts down production control system

Inside a large-scale phishing campaign targeting millions of Facebook users

Help Net Security - Daily information security news with a focus on enterprise security.
Follow us
  • Features
  • News
  • Expert Analysis
  • Reviews
  • Events
  • Reports
  • Whitepapers
  • Industry news
  • Newsletters
  • Product showcase
  • Twitter

In case you’ve missed it

  • How to keep your NFTs safe from scammers
  • Is your organization ready for Internet Explorer retirement?
  • Attackers aren’t slowing down, here’s what researchers are seeing
  • Why you should worry about medical ID theft

(IN)SECURE Magazine ISSUE 71.5 (June 2022)

Several of the most pressing topics discussed during this year’s Conference included issues surrounding privacy and surveillance, the positive and negative impacts of machine learning and artificial intelligence, the nuances of risk and policy, and more.

Read online
© Copyright 1998-2022 by Help Net Security
Read our privacy policy | About us | Advertise