Academics discovered more than 1,200 phishing kits equipped with the ability to intercept users’ two-factor authentication (2FA) codes in the wild.

Two Types of 2FA Phishing

As noted by researchers from Stony Brook University sponsored by security firm Palo Alto Networks, many of the toolkits referenced above used what’s known as man-in-the-middle (MitM) phishing.

These tools enabled threat actors to bypass 2FA procedures by working as reverse proxies. Here, the toolkits relayed traffic between the victim, the malicious site and the targeted service.

A user who fell prey to one of these MitM toolkits did succeed in authenticating themselves on the legitimate service. However, the reverse proxy meant the attacker also gained access to a copy of the authentication cookie.

With that cookie in their possession, the malicious actor had the option of abusing access to their victim’s account. That way, they could steal stored information or conduct payment card fraud. The attacker also had the choice of monetizing the cookie on a darknet marketplace.

Real-Time Phishing

Note that MitM phishing is different than real-time phishing. The latter requires a human operator to monitor a user’s interaction with a malicious landing page in real-time. The human operator sits in front of a web panel, waiting for the user to submit their credentials to the imposter site. Once that happens, they then use those same details to authenticate themselves on the legitimate service’s web page as their victim.

First, the attacker receives a prompt to submit a 2FA code. Then, they push a button and generate a prompt for the victim to retrieve the code via SMS-based text message, authentication app or other methods. The malicious actor then submits the code and gains access to the victim’s account.

From an attacker’s perspective, MitM phishing can free them from needing to actively monitor an authentication session. But this type of phishing isn’t ideal in every use case. As noted by The Record, real-time phishing toolkits tend to be more prevalent in attacks targeting banks. This is because the login sessions don’t last as long and every authentication request prompts the need for a new 2FA code.

A Phishing-Filled 2021

Phishing attacks reached unprecedented heights in 2021. By the end of the second quarter, for instance, credential phishing attempts accounted for 73% of advanced attack attempts. That was up from two-thirds back in Q4 2020.

The third quarter followed a similar course. As reported by APWG via Help Net Security, security researchers detected 260,642 attacks in July 2021 alone. That was the highest monthly total since the researchers began sharing their findings back in 2004.

In addition, the number of targeted brands jumped from just over 400 in the early part of the year to 700 by the end of Q3 2021.

How to Protect Your Business

The Record predicted that the MitM toolkits discussed above are only the beginning. They expect most phishing attacks will include it in the near future.

Therefore, it’s important that organizations invest in defending against a phish. They can do this by blending multifactor authentication and other technical controls with regular phishing simulations for all employees including senior management. At the same time, consider alerting the Federal Trade Commission, FBI and other agencies to some of the phishing attempts analyzed by IT and security teams.

More from News

$10.3 Billion in Cyber Crime Losses Shatters Previous Totals

4 min read - The introduction of the most recent FBI Internet Crime Report says, “At the FBI, we know ‘cyber risk is business risk’ and ‘cybersecurity is national security.’” And the numbers in the report back up this statement. The FBI report details more than 800,000 cyber crime-related complaints filed in 2022. Meanwhile, total losses were over $10 billion, shattering 2021's total of $6.9 billion, according to the bureau’s Internet Crime Complaint Center (IC3).  Top Five Cyber Crime TypesIn the past five years, the…

4 min read

HHS Releases Hospital Cyber Resiliency Landscape Analysis

4 min read - On April 17, 2023, The U.S. Department of Health and Human Services (HHS) 405(d) Program announced the release of its Hospital Cyber Resiliency Initiative Landscape Analysis. This landmark analysis reports on domestic hospitals’ current state of cybersecurity preparedness. The scope of the HHS study was limited to activities that protect access to patient care and safety and reduce the negative impact of cyber threats on clinical operations. Breaches of sensitive data were considered only if the breach had a direct…

4 min read

Zombie APIs are a Top Security Concern as API Attacks Surge 400%

4 min read - Organizations of all sizes rely on application programming interfaces (APIs). The API explosion has been driven by several factors, including cloud computing, demand for mobile/web applications, microservices architecture and the API economy as a business model. APIs enable developers to access data remotely, integrate with other services, build modular applications and monetize their data/services. For enterprises that participated in a recent research study, the average number of APIs per organization was 15,564. Large enterprises (over 10,000 employees) had an average…

4 min read

Google’s Bug Bounty Hits $12 Million: What About the Risks?

4 min read - Bug bounty numbers have never been better. In 2022, Google rewarded the efforts of over 700 researchers from 68 different countries who helped improve the security of the company’s products and services. The total amount of awards grew from $8.7 million paid in 2021 to $12 million in 2022, a nearly 38% increase. Over the past few years, bug bounty programs have gained significant traction. Companies have been lured in by the potential to identify vulnerabilities quickly, enhance product security…

4 min read