Hackers have adopted a wider use of multi-factor authentication and the security researchers are warning of a new threat that’s only likely to become more serious as time goes on: Hackers who publish phishing kits have found a way to add multi-factor authentication bypassing capabilities to their software.
A recent study from MFA company Duo found that, as of 2021, 78% of people have or do use MFA, compared to just 28% in 2017. That rapid increase surely ruffled some cybercriminal feathers in the past few years, but that hardly means they’re down for the count. If anything, enterprising hackers are motivated by a challenge like the one posed by MFA, and Proofpoint seems to have evidence that they’ve succeeded.
It is said that “is already out there and happening. Consumers, as well as enterprise users, are already being targeted.” According to Aimei Wei, founder and CTO of Stellar Cyber.
Evolution of phishing by proxy
Since hackers have adopted a wider use of multi-factor authentication it has been reported that phishing kits available for sale online range from “simple open-source kits with human-readable code and no-frills functionality to sophisticated kits utilizing numerous layers of obfuscation and built-in modules that allow for stealing usernames, passwords, MFA tokens, social security numbers, and credit card numbers.” A way that they will typically do that is to recreate a target website, like a login page, in the hopes of tricking unaware users.
With MFA in the mix, fake pages are rendered useless: While an attacker may have a username and password, the second factor remains out of reach. Enter what Proofpoint calls “a new kind of kit” that, instead of recreating a page, uses a transparent reverse proxy to act as a man-in-the-middle. By intercepting all the traffic between a victim and their destination server, these transparent proxy MitM attacks allow the user to carry on without ever knowing that their credentials, and their session cookie, have been stolen.