Increasing Adoption of Phishing Kits Puts MFA at RiskKit Enables 'Man in the Middle' Browser Session; MFA Makes Attackers Work Harder
Because of increased use of multifactor authentication, attackers are developing phishing kits that steal tokens and bypass this trusted layer of security.
"Threat actors are using phish kits that leverage transparent reverse proxy, which enables them to man-in-the-middle (MitM) a browser session and steal credentials and session cookies in real-time," according to researchers at Proofpoint.
Jon Gaines, senior application security consultant at application security provider nVisium, says more threat actors are using phishing kits that allow some form of 2FA bypass.
"There are even some open-source options, such as EvilNginx2. Since that is available, the organization's blue team and outside red teams should be performing phishing campaigns at least annually to learn how to recognize and monitor this type of phishing. This works by forwarding the request to the proper service, such as Microsoft, and capturing the credentials before they're sent, and the session's cookies in the response. And yes, it is in real time," Gaines says.
The Proofpoint researchers say that phishing kits are software developed to help threat actors harvest credentials and quickly capitalize on them.
"Often installed on a dedicated server owned by the threat actor or covertly installed on a compromised server owned by an unlucky individual, many of these kits can be purchased for less than a cup of coffee," the researchers say.
There are numerous MFA phishing kits, ranging from simple open-source kits with human readable code and no-frills functionality to sophisticated kits that use various layers of obfuscation and modules allowing stealing of usernames, passwords, MFA tokens, Social Security numbers and credit card numbers, the Proofpoint researchers say.
Researchers at Stony Brook University and Palo Alto Networks took a deep dive and released a paper on MitM phishing kits that identified more than 1,200 MitM phishing sites. In their research paper, they say that, of those 1,200-plus sites, only 43.7% of domains and 18.9% of IP addresses appeared on popular block lists such as VirusTotal.
"Luckily, in my experience, these domains used for this type of phishing are burned fairly quickly once they have been accessed. It is also another reason why paying attention to the URL you're signing onto is vital. Overall, 2FA is still the top advice for protecting all of your online accounts," Gaines says.
Stony Brook University and Palo Alto Networks researchers also found that the standard phishing sites had a lifespan of just under 24 hours while MitM phishing sites lasted longer, and 15% had a lifespan greater than 20 days.
But the Proofpoint researchers observed a MitM reverse proxy site that was active for more than 72 hours at the end of January 2021.
Attackers Working Harder
Kieran Roberts, head of penetration testing at cybersecurity platform provider Defense.com, says there is a significant increase in attackers using MitM attacks rather than simply harvesting credentials.
"The fact that we're seeing an uptick in attackers using specific MFA phishing techniques/toolkits speaks to the fact that there is a trend toward organizations moving toward MFA, and that can only be positive - even if there are still tools/techniques to steal sessions," Roberts says. "The bigger picture here is that this shows that adoption of MFA is working. Yes, there are still ways to compromise users, but attackers need to work harder. A simple phishing email will not work as it did before MFA's wider adoption, which is a good thing."
The Proofpoint researchers recently spotted a new type of kit that does not rely on recreating a target website. Instead, it uses a transparent reverse proxy to present the actual website to the victim.
"Modern webpages are dynamic and change frequently. Therefore, presenting the actual site instead of a facsimile greatly enhances the illusion an individual is logging in safely," they say.
Also, the reverse proxy allows the threat actor to undertake an MitM session and capture not only session cookies but also the usernames and passwords in real time.
The Proofpoint researchers says they found a small increase in the use of these phish kits and anticipate greater adoption by threat actors as MFA forces them to adapt.
Proofpoint says it has seen three transparent reverse proxy kits emerge on the scene.
Phishing Still a Dangerous Threat
Phishing continues to be one of the most dangerous threats to organizations as an initial vector to infiltrate the network or to steal organization credentials, says Tal Darsan, security services manager at Cato Networks.
"Reverse Proxy phishing kits are on the rise and are generally used by more technically savvy attackers as they require more technical knowledge to use them," Darsan says.
"In a standard phishing attack, once the victim enters their credentials to a phishing site, they are redirected to the legitimate site after the attack has occurred, he says. But this is not the case with reverse proxy phishing. Darsan says that threat actors use a reverse proxy server to reflect to the end user the legitimate site, enabling the hacker to hijack the victim’s session, steal credentials and perform a full account takeover.
"This technique also provides a layer of security for the attacker, as many people are aware of phishing and if they are redirected to the login page after a regular attack, they might be suspicious. So this attack provides a higher level of confidence to the victim that they are on the real site," Darsan says.
Darsan recommends mitigation in the form of user education, email scanning, analysis of the URLs users are trying to visit, and analysis of data entered on a site - for example, when the victim is entering their password on a site that imitates a legitimate site.
John Bambenek, principal threat hunter at digital IT and security operations firm Netenrich, says the only real option is to make it as difficult to compromise secure sessions as possible.
"The good news is that running web proxies on an endpoint are a fairly straightforward behavior to detect, so EDR and basic antivirus should be able to remediate such behavior. Fundamentally, cybersecurity is not a technical problem. It’s a human nature problem, and no security technology is going to remove the universal human tendency toward thievery from the human species. Every security development will lead to attackers adapting," Bambenek says.