Multifactor authentication undermined | Pentest7

top cybersecurity companies

Cyber ​​criminals bypass multi-factor authentication (MFA) using inexpensive tools called MFA phishing kits.

Con artists drive innovation. After the security experts at Proofpoint reported on the increasing spread of so-called phishing kits just a few weeks ago, the company today published further findings on the subject. Phish kits are a kind of tool kit that cybercriminals can buy for little money – sometimes less than 10 euros. These kits help attackers to impersonate websites of well-known brands with relative ease or otherwise lure victims into their traps via phishing. Now, however, the cybercriminals are going one step further and using sophisticated phishing kits to bypass even the multi-factor authentication of websites in order to enrich themselves.

Increasingly, phishing scammers are taking advantage of easy-to-use and inexpensive phish kits that make it relatively easy to spoof the websites of large companies or well-known brands. Based on the websites created using the phish kits, cybercriminals are able to steal their victims’ access data.

However, website operators have been offering so-called multi-factor authentication to increase the protection of accounts for several years. As stealing a user’s username and password alone is no longer sufficient to successfully break into a user account, this poses a challenge for cybercriminals.

After purchase, the phishing kits are usually hosted on the buyer’s servers or on an infrastructure controlled by him. But unlike ordinary phish kits, which only enable theft of credentials through fake websites, MFA phishing kits also have the ability to steal MFA tokens or hijack entire sessions.

Attacks with MFA phish kits are based on a transparent reverse proxy. With this man-in-the-middle (MitM) technique, the victim does not access a fake website, but is instead presented with the actual website. However, with the help of the intermediary server, the cyber criminals can intercept all data exchanged between the website and the victim.

The data that is stolen in real time is not just limited to the username and password, but can include all inputs – such as credit card data, MFA tokens, etc. – but also session cookies. If such a cookie is stolen, the perpetrators may gain full access to the account without having to enter the second factor.

Proofpoint’s security experts have already discovered a wide variety of MFA phishing kits. These range from simple open-source kits with readable code and basic functionality, to sophisticated kits with numerous layers of obfuscation and built-in modules that allow usernames, passwords, MFA tokens, and credit card numbers to be stolen.

Leave a Reply

Your email address will not be published.