Phishing attacks that bypass 2-factor authentication are now easier to execute

Researchers released two tools--Muraen and NecroBrowser--that automate phishing attacks that can bypass 2FA. Most defenses won't stop them.

Penetration testers and attackers have a new tool in their arsenal that can be used to automate phishing attacks in a way that defeats two-factor authentication (2FA) and is not easy to detect and block. The tool makes such attacks much easier to deploy, so organizations should adapt their anti-phishing training accordingly.

The new toolkit was presented last month at the Hack in the Box conference in Amsterdam and was released on GitHub after a few days. It has two components: A transparent reverse-proxy called Muraena and a Docker container for automating headless Chromium instances called NecroBrowser.

A man-in-the-middle type of attack

Traditional phishing attacks that most people are familiar with consist of fake login pages hosted on attacker-controlled web servers and served from custom domains whose names are similar to those of the targeted websites. However, such static attacks are not effective against online services that use two-factor authentication, because there is no interaction with the legitimate websites to trigger the generation of one-time-use codes. Without those codes, attackers can't log in with the phished credentials.

To overcome 2FA, attackers need to have their phishing websites function as proxies, forwarding requests on victims' behalf to the legitimate websites and delivering back responses in real time. The final goal is not to obtain only usernames and passwords, but active session tokens known as session cookies that the real websites associate with logged-in accounts. These session cookies can be placed inside a browser to access the accounts they're associated with directly without the need to authenticate.

This proxy-based technique is not new and has been known for a long time, but setting up such an attack required technical knowledge and involved configuring multiple independent tools such as the NGINX web server to run as reverse-proxy. Then the attacker needed to manually abuse the stolen session cookies before they expire. Furthermore, some websites use technologies like Subresource Integrity (SRI) and Content Security Policy (CSP) to prevent proxying, and some even block automated browsers based on headers.

To continue reading this article register now

  
Shop Tech Products at Amazon