February 2, 2022 By David Bisson 2 min read

Academics discovered more than 1,200 phishing kits equipped with the ability to intercept users’ two-factor authentication (2FA) codes in the wild.

Two types of 2FA phishing

As noted by researchers from Stony Brook University sponsored by security firm Palo Alto Networks, many of the toolkits referenced above used what’s known as man-in-the-middle (MitM) phishing.

These tools enabled threat actors to bypass 2FA procedures by working as reverse proxies. Here, the toolkits relayed traffic between the victim, the malicious site and the targeted service.

A user who fell prey to one of these MitM toolkits did succeed in authenticating themselves on the legitimate service. However, the reverse proxy meant the attacker also gained access to a copy of the authentication cookie.

With that cookie in their possession, the malicious actor had the option of abusing access to their victim’s account. That way, they could steal stored information or conduct payment card fraud. The attacker also had the choice of monetizing the cookie on a darknet marketplace.

Real-time phishing

Note that MitM phishing is different than real-time phishing. The latter requires a human operator to monitor a user’s interaction with a malicious landing page in real-time. The human operator sits in front of a web panel, waiting for the user to submit their credentials to the imposter site. Once that happens, they then use those same details to authenticate themselves on the legitimate service’s web page as their victim.

First, the attacker receives a prompt to submit a 2FA code. Then, they push a button and generate a prompt for the victim to retrieve the code via SMS-based text message, authentication app or other methods. The malicious actor then submits the code and gains access to the victim’s account.

From an attacker’s perspective, MitM phishing can free them from needing to actively monitor an authentication session. But this type of phishing isn’t ideal in every use case. As noted by The Record, real-time phishing toolkits tend to be more prevalent in attacks targeting banks. This is because the login sessions don’t last as long and every authentication request prompts the need for a new 2FA code.

A phishing-filled 2021

Phishing attacks reached unprecedented heights in 2021. By the end of the second quarter, for instance, credential phishing attempts accounted for 73% of advanced attack attempts. That was up from two-thirds back in Q4 2020.

The third quarter followed a similar course. As reported by APWG via Help Net Security, security researchers detected 260,642 attacks in July 2021 alone. That was the highest monthly total since the researchers began sharing their findings back in 2004.

In addition, the number of targeted brands jumped from just over 400 in the early part of the year to 700 by the end of Q3 2021.

How to protect your business

The Record predicted that the MitM toolkits discussed above are only the beginning. They expect most phishing attacks will include it in the near future.

Therefore, it’s important that organizations invest in defending against a phish. They can do this by blending multifactor authentication and other technical controls with regular phishing simulations for all employees including senior management. At the same time, consider alerting the Federal Trade Commission, FBI and other agencies to some of the phishing attempts analyzed by IT and security teams.

More from News

Europe’s Cyber Resilience Act: Redefining open source

3 min read - Amid an increasingly complex threat landscape, we find ourselves at a crossroads where law, technology and community converge. As such, cyber resilience is more crucial than ever. At its heart, cyber resilience means maintaining a robust security posture despite adverse cyber events and being able to anticipate, withstand, recover from and adapt to such incidents. While new data privacy and protection regulations like GDPR, HIPAA and CCPA are being introduced more frequently than ever, did you know that there is new…

Feds release urgent guidance for U.S. water sector

3 min read - The water and wastewater sector (WWS) faces cybersecurity challenges that leave it wide open to attacks. In response, the CISA, EPA and FBI recently released joint guidance to the sector, citing variable cyber maturity levels and potential cybersecurity solutions. The new Incident Response Guide (IRG) provides the water sector with information about the federal roles, resources and responsibilities for each stage of the cyber incident response lifecycle. Sector owners and operators can use this information to augment their incident response…

What to expect from the new National Cyber Director

4 min read - As cyber threats show no sign of slowing down in terms of sophistication and frequency, the role of the National Cyber Director (NCD) in the United States is becoming a cornerstone of the nation’s defense strategy. Inaugural NCD Chris Inglis set a high bar for the office during his tenure, steering the country through a gauntlet of cyber challenges. Now, as Harry Coker Jr. steps into this critical role, he faces a landscape that continues to evolve with new threats on…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today