Cybercriminals have tools that intercept one-time codes for two-factor authentication

Stony Brook University scientists and Palo Alto Networks researchers have found more than 1,200 tools for phishing which can intercept security codes for two-factor authentication (2FA) and allow cybercriminals to bypass the 2FA procedure.

MitM (Man-in-the-Middle) phishing tools have become extremely popular in the cyber-underground in recent years after major technology companies began introducing 2FA as a default security feature for their users.

The direct consequence of that was that the usernames and passwords that people entered on the phishing sites of cybercriminals became useless because the attackers could not bypass the 2FA procedure.

Adapting to this new trend in protecting account security, cybercriminals have begun using new tools that have allowed them to circumvent 2FA by stealing user authentication cookies, files created within a web browser when a user logs into an account after the 2FA process is complete.

In most cases, cybercriminals relied on information-stealing malware (“infostealer”) to steal authentication cookies from computers they managed to infect.

However, there is another way to steal these files that does not rely on infecting computers with malware and that is to steal authentication cookies while in transit from the service provider to the user’s computer.

In recent years, cybercriminals have been slowly adapting their old phishing tools to circumvent 2FA procedures, primarily using two techniques.

The first is known as “real-time phishing” and relies on an operator sitting in front of a web panel while the user is on a phishing site. When a user enters their credentials on the site, the operator uses these credentials to authenticate to the right site. When an attacker is presented with a 2FA challenge, he simply presses a button asking the user for a 2FA code (received via email, SMS or authentication application), and then collects and enters a 2FA token on the right site, creating a legitimate link between attacker system and victim account.

Real-time phishing tools are typically used to hack into Internet banking portals, where user login sessions do not remain active for more than a few minutes, and each re-authentication request requires another 2FA code. Hackers who use this technique do not try to collect cookies for authentication, because they are short-lived, and usually steal funds from the victim’s account immediately.

However, email services, social media accounts, online games and other services have more relaxed rules regarding user login sessions and create authentication cookies that are sometimes valid for years. Once obtained, these files can provide attackers with more stable and unobtrusive access to the account.

Here, MitM tools have proven useful for cybercriminals who do not want to deal with the distribution of information theft malware. Instead, they use phishing tools tailored to work as reverse proxies, which transmit traffic between the victim, the phishing site, and legitimate services.

Users verified on the MitM site are actually logged in to a legitimate site, but since all traffic goes through a reverse proxy system, an attacker also has a copy of the authentication cookie, which can be misused or resold on hacker sites that trade authentication cookies.

In a way, MitM phishing tools are also real-time phishing tools, but they do not require the participation of attackers because everything is automated.

Interestingly, many of these MitM phishing tools are based on tools developed by security researchers such as Evilginx, Muraena and Modlishka.

In the study (PDF) released last month, researchers said they analyzed 13 versions of these three MitM phishing tools. They found that 1220 sites use some of the MitM phishing tools, which is a significant jump compared to the end of 2018 and the beginning of 2019, when there were about 200, which shows that MitM phishing tools are becoming increasingly popular among cybercriminals.

One of the explanations for that is the fact that most of these tools can be downloaded for free, they are easy to use, and on hacker forums you can find many tutorials and offers for cooperation that helped cybercriminals get acquainted with this new technology.

As 2FA is increasingly used, this study points to the fact that most phishing attacks will eventually evolve and include MitM tools in the near future.

Source: by

*The article has been translated based on the content of by If there is any problem regarding the content, copyright, please leave a report below the article. We will try to process as quickly as possible to protect the rights of the author. Thank you very much!

*We just want readers to access information more quickly and easily with other multilingual content, instead of information only available in a certain language.

*We always respect the copyright of the content of the author and always include the original link of the source article.If the author disagrees, just leave the report below the article, the article will be edited or deleted at the request of the author. Thanks very much! Best regards!