Newest Phishing Kits Used for Multi-Factor Authentication Bypass

Phishing attacks enable threat actors to acquire credentials, however, with multi-factor authentication (MFA), it is more difficult for phishing attacks to be successful. With MFA turned on, besides a username and password, one more method of authentication is required before granting account access. Microsoft has formerly stated multi-factor authentication hinders 99.9% of automated account compromise attacks. Nonetheless, MFA does not guarantee protection. A new kind of phishing kit is being used more and more to circumvent MFA.

Proofpoint Researchers revealed in a new blog article that phishing kits are currently being utilized that use a transparent reverse proxy (TRP), which facilitates browser man-in-the-middle (MitM) attacks. The phishing kits permit the attackers to expose browser sessions and steal credentials and session cookies in real-time, permitting full account control without giving a warning to the victim.

There are several phishing kits that can typically be purchased cheaply that enable the bypass of MFA; some are basic with no-extra functionality, while others are more advanced and include a few layers of obfuscation and include modules for doing a variety of functions, such as the theft of sensitive data such as passwords, credit card numbers, Social Security numbers, and MFA tokens.

With common phishing attacks, the attackers make a bogus login page to deceive visitors into sharing their credentials. Quite often the phishing page is a carbon copy of the website it impersonates, with the web address as the only indicator that the phishing page is not real. One MitM phishing kit discovered by the Proofpoint staff doesn’t utilize these bogus pages, instead, it utilizes TRP to present the legit landing page to the visitor. This strategy makes it difficult for victims to identify the phishing scam. As soon as a user visits the page and a request is transmitted to that service, Microsoft 365 for instance, the attackers record the username and password even before they are sent and snatch the session cookies that are transmitted in response in real-time.

The researchers pertain to the Stony Brook University and Palo Alto Networks’ review of MitM phishing kits, which found more than 1,200 phishing websites employing MitM phishing kits. Worryingly, these phishing web pages are frequently not discovered and blocked by security solutions. 43.7% of the domains and 18.9% of the IP addresses were not listed on common blocklists, for example, those managed by VirusTotal. Additionally, although regular phishing pages usually only have a lifespan of about 24 hours prior to being blacklisted, MitM phishing pages last a lot longer. 15% of those found lasted for longer than 20 days before being added to blocklists.

The usage of these phishing kits is growing, though fairly slowly. Proofpoint experts think that threat actors adopt MitM phishing kits a lot more widely in response to the greater use of MFA. MitM phishing kits are simple to set up, free to use, and have been confirmed effective at averting detection. The industry must be ready to handle blind spots like these before they can change in new unexpected directions.