February 2, 2022 By David Bisson 2 min read

Academics discovered more than 1,200 phishing kits equipped with the ability to intercept users’ two-factor authentication (2FA) codes in the wild.

Two types of 2FA phishing

As noted by researchers from Stony Brook University sponsored by security firm Palo Alto Networks, many of the toolkits referenced above used what’s known as man-in-the-middle (MitM) phishing.

These tools enabled threat actors to bypass 2FA procedures by working as reverse proxies. Here, the toolkits relayed traffic between the victim, the malicious site and the targeted service.

A user who fell prey to one of these MitM toolkits did succeed in authenticating themselves on the legitimate service. However, the reverse proxy meant the attacker also gained access to a copy of the authentication cookie.

With that cookie in their possession, the malicious actor had the option of abusing access to their victim’s account. That way, they could steal stored information or conduct payment card fraud. The attacker also had the choice of monetizing the cookie on a darknet marketplace.

Real-time phishing

Note that MitM phishing is different than real-time phishing. The latter requires a human operator to monitor a user’s interaction with a malicious landing page in real-time. The human operator sits in front of a web panel, waiting for the user to submit their credentials to the imposter site. Once that happens, they then use those same details to authenticate themselves on the legitimate service’s web page as their victim.

First, the attacker receives a prompt to submit a 2FA code. Then, they push a button and generate a prompt for the victim to retrieve the code via SMS-based text message, authentication app or other methods. The malicious actor then submits the code and gains access to the victim’s account.

From an attacker’s perspective, MitM phishing can free them from needing to actively monitor an authentication session. But this type of phishing isn’t ideal in every use case. As noted by The Record, real-time phishing toolkits tend to be more prevalent in attacks targeting banks. This is because the login sessions don’t last as long and every authentication request prompts the need for a new 2FA code.

A phishing-filled 2021

Phishing attacks reached unprecedented heights in 2021. By the end of the second quarter, for instance, credential phishing attempts accounted for 73% of advanced attack attempts. That was up from two-thirds back in Q4 2020.

The third quarter followed a similar course. As reported by APWG via Help Net Security, security researchers detected 260,642 attacks in July 2021 alone. That was the highest monthly total since the researchers began sharing their findings back in 2004.

In addition, the number of targeted brands jumped from just over 400 in the early part of the year to 700 by the end of Q3 2021.

How to protect your business

The Record predicted that the MitM toolkits discussed above are only the beginning. They expect most phishing attacks will include it in the near future.

Therefore, it’s important that organizations invest in defending against a phish. They can do this by blending multifactor authentication and other technical controls with regular phishing simulations for all employees including senior management. At the same time, consider alerting the Federal Trade Commission, FBI and other agencies to some of the phishing attempts analyzed by IT and security teams.

More from News

Zero-day exploits underscore rising risks for internet-facing interfaces

3 min read - Recent reports confirm the active exploitation of a critical zero-day vulnerability targeting Palo Alto Networks’ Next-Generation Firewalls (NGFW) management interfaces. While Palo Alto’s swift advisories and mitigation guidance offer a starting point for remediation, the broader implications of such vulnerabilities demand attention from organizations globally.The surge in attacks on internet-facing management interfaces highlights an evolving threat landscape and necessitates rethinking how organizations secure critical assets.Who is exploiting the NGFW zero-day?As of now, little is known about the actors behind the…

Will arresting the National Public Data threat actor make a difference?

3 min read - The arrest of USDoD, the mastermind behind the colossal National Public Data breach, was a victory for law enforcement. It also raises some fundamental questions. Do arrests and takedowns truly deter cyberattacks? Or do they merely mark the end of one criminal’s chapter while others rise to take their place? As authorities continue to crack down on cyber criminals, the arrest of high-profile threat actors like USDoD reveals a deeper, more complex reality about the state of global cyber crime.…

CISA adds Microsoft SharePoint vulnerability to the KEV Catalog

3 min read - In late October, the United States Cybersecurity & Infrastructure Security Agency (CISA) added a new threat to its Known Exploited Vulnerability (KEV) Catalog. Cyber criminals used remote code execution vulnerability in Microsoft SharePoint to gain access to organizations’ networks. The CISA press release states that “these types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.” However, Microsoft identified and released a patch for this vulnerability in July 2024. Cybersecurity experts…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today