February 2, 2022 By David Bisson 2 min read

Academics discovered more than 1,200 phishing kits equipped with the ability to intercept users’ two-factor authentication (2FA) codes in the wild.

Two types of 2FA phishing

As noted by researchers from Stony Brook University sponsored by security firm Palo Alto Networks, many of the toolkits referenced above used what’s known as man-in-the-middle (MitM) phishing.

These tools enabled threat actors to bypass 2FA procedures by working as reverse proxies. Here, the toolkits relayed traffic between the victim, the malicious site and the targeted service.

A user who fell prey to one of these MitM toolkits did succeed in authenticating themselves on the legitimate service. However, the reverse proxy meant the attacker also gained access to a copy of the authentication cookie.

With that cookie in their possession, the malicious actor had the option of abusing access to their victim’s account. That way, they could steal stored information or conduct payment card fraud. The attacker also had the choice of monetizing the cookie on a darknet marketplace.

Real-time phishing

Note that MitM phishing is different than real-time phishing. The latter requires a human operator to monitor a user’s interaction with a malicious landing page in real-time. The human operator sits in front of a web panel, waiting for the user to submit their credentials to the imposter site. Once that happens, they then use those same details to authenticate themselves on the legitimate service’s web page as their victim.

First, the attacker receives a prompt to submit a 2FA code. Then, they push a button and generate a prompt for the victim to retrieve the code via SMS-based text message, authentication app or other methods. The malicious actor then submits the code and gains access to the victim’s account.

From an attacker’s perspective, MitM phishing can free them from needing to actively monitor an authentication session. But this type of phishing isn’t ideal in every use case. As noted by The Record, real-time phishing toolkits tend to be more prevalent in attacks targeting banks. This is because the login sessions don’t last as long and every authentication request prompts the need for a new 2FA code.

A phishing-filled 2021

Phishing attacks reached unprecedented heights in 2021. By the end of the second quarter, for instance, credential phishing attempts accounted for 73% of advanced attack attempts. That was up from two-thirds back in Q4 2020.

The third quarter followed a similar course. As reported by APWG via Help Net Security, security researchers detected 260,642 attacks in July 2021 alone. That was the highest monthly total since the researchers began sharing their findings back in 2004.

In addition, the number of targeted brands jumped from just over 400 in the early part of the year to 700 by the end of Q3 2021.

How to protect your business

The Record predicted that the MitM toolkits discussed above are only the beginning. They expect most phishing attacks will include it in the near future.

Therefore, it’s important that organizations invest in defending against a phish. They can do this by blending multifactor authentication and other technical controls with regular phishing simulations for all employees including senior management. At the same time, consider alerting the Federal Trade Commission, FBI and other agencies to some of the phishing attempts analyzed by IT and security teams.

More from News

Change Healthcare discloses $22M ransomware payment

3 min read - UnitedHealth Group CEO Andrew Witty found himself answering questions in front of Congress on May 1 regarding the Change Healthcare ransomware attack that occurred in February. During the hearing, he admitted that his organization paid the attacker's ransomware request. It has been reported that the hacker organization BlackCat, also known as ALPHV, received a payment of $22 million via Bitcoin.Even though they made the ransomware payment, Witty shared that Change Healthcare did not get its data back. This is a…

State Department releases International Cyberspace and Digital Policy Strategy

3 min read - U.S. Secretary of State Antony Blinken announced the new U.S. International Cyberspace and Digital Policy Strategy during the recent RSA Conference in San Francisco. The strategy emphasizes the role of technology in diplomacy and the urgent need to build international coalitions. “Security, stability, prosperity — they are no longer solely analog matters,” Blinken said at the conference. The new strategy focuses on “digital solidarity” not “digital sovereignty,” Blinken said, emphasizing the importance of collaboration with like-minded nations. Also mentioned was…

DHS establishes Artificial Intelligence Safety and Security Board

3 min read - As part of its commitment to addressing the rapid growth and adoption of AI technology across all industries and sectors, the Department of Homeland Security (DHS) announced the establishment of the Artificial Intelligence Safety and Security Board in late April. The Board’s first meeting is planned for early May when they will begin the task of focusing on how to develop and deploy AI technology within the United States’ critical infrastructure safely and securely. Based on the DHS Homeland Threat…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today