Latest Phishing Kits Allow Multi-Factor Authentication Bypass
Phishing attacks allow threat actors to obtain credentials, but multi-factor authentication (MFA) makes it harder for phishing attacks to succeed. With MFA enabled, in addition to a username and password, another method of authentication is required before account access is granted. Microsoft has previously said multi-factor authentication blocks 99.9% of automated account compromise attacks; however, MFA does not guarantee protection. A new breed of phishing kit is being increasingly used to bypass MFA.
Researchers at Proofpoint explained in a recent blog post that phishing kits are now being used that leverage transparent reverse proxy (TRP), which allows browser man-in-the-middle (MitM) attacks. The phishing kits allow the attackers to compromise browser sessions and steal credentials and session cookies in real-time, allowing a full account takeover without alerting the victim.
There are multiple phishing kits that can often be purchased for a low cost that allow MFA to be bypassed; some are simple with no-frills functionality, while others are more sophisticated and incorporate multiple layers of obfuscation and have modules for performing a range of functions, including the theft of sensitive data such as passwords, Social Security numbers, credit card numbers, and MFA tokens.
With standard phishing attacks, the attackers create a fake login page to trick visitors into disclosing their credentials. Oftentimes the phishing page is a carbon copy of the site it impersonates, with the URL the only sign that the phishing page is not genuine. One of the MitM phishing kits identified by the Proofpoint team does not use these fake pages, instead, it uses TRP to present the genuine landing page to the visitor. This approach makes it impossible for victims to recognize the phishing scam. When a user lands on the page and a request is sent to that service, Microsoft 365 for instance, the attackers capture the username and password before they are sent and steal the session cookies that are sent in response in real-time.
The researchers refer to a study of MitM phishing kits by Stony Brook University and Palo Alto Networks which identified more than 1,200 phishing sites using MitM phishing kits. Worryingly, these phishing sites are often not detected and blocked by security solutions. 43.7% of the domains and 18.9% of the IP addresses were not included on popular blocklists, such as those maintained by VirusTotal. Further, while standard phishing pages typically only have a lifespan of around 24 hours before they are blocked, MitM phishing pages last much longer. 15% of those detected lasted for longer than 20 days before they were added to blocklists.
The use of these phishing kits is increasing, albeit relatively slowly, however, the Proofpoint researchers believe that MitM phishing kits will be much more widely adopted by threat actors in response to the increased use of MFA. “[MitM phishing kits] are easy to deploy, free to use, and have proven effective at evading detection. The industry needs to prepare to deal with blind spots like these before they can evolve in new unexpected directions,” said Proofpoint.