Business email Phishing campaigns increase in complexity, bypass MFA

vtqhtr413

Level 26
Thread author
Verified
Top Poster
Well-known
Aug 17, 2017
1,526
A report from the Microsoft Defender Experts reveals a new multi-staged adversary in the middle phishing attack combined with a business email compromise attack targeting banking and financial institutions. The complex attack abuses trusted relationships between vendors, suppliers and more organizations involved in financial transactions.

Stage one: launching and AiTM phishing attack. AiTM attacks are operations in which a bad actor intercepts and modifies communications between two parties, typically a user and a legitimate authentication service, to steal sensitive or financial information, such as log-in credentials and credit card data. It might also be used to bypass multifactor authentication by stealing users’ session cookies.

While previous AiTM attacks generally used reverse proxy techniques to handle the traffic between the user and the authentication service, this time the attackers used an indirect proxy method. This technique is slightly different as the attacker controls everything directly from a phishing website that mimics the sign-in page of the targeted service. The website processes all communication, including authentication requests, with the target.

The user is enticed to visit the phishing page, enter their credentials and fill in the additional MFA authentication, which is a fake MFA request coming directly from the attackers. In the background and straight from the phishing server, the attacker initiates communication with the targeted service and enters the valid users’ credentials and then the MFA information. The user is being redirected to another page at that moment, while the attacker receives a valid session cookie impersonating the user.
 

Ink

Administrator
Verified
Staff Member
Well-known
Jan 8, 2011
22,375
The user is enticed to visit the phishing page, enter their credentials and fill in the additional MFA authentication, which is a fake MFA request coming directly from the attackers.

In the background and straight from the phishing server, the attacker initiates communication with the targeted service and enters the valid users’ credentials and then the MFA information.

The user is being redirected to another page at that moment, while the attacker receives a valid session cookie impersonating the user.
Never initialise anything through communications channels, ie. Email, SMS, Voice call
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top