Low-Detection Phishing Kits Increasingly Bypass MFA


Level 84
Thread author
Top poster
Content Creator
Malware Hunter
Aug 17, 2014
More and more phishing kits are focusing on bypassing multi-factor authentication (MFA) methods, researchers have warned – typically by stealing authentication tokens via a man-in-the-middle (MiTM) attack.

As MFA continues to see widespread consumer and business adoption – a full 78 percent of respondents in a recent poll said they used it in 2021 – cybercriminals have devoted resources into keeping up. According to an analysis from Proofpoint, MFA-bypass phishing kits are proliferating rapidly, “ranging from simple open-source kits with human readable code and no-frills functionality to sophisticated kits utilizing numerous layers of obfuscation and built-in modules that allow for stealing usernames, passwords, MFA tokens, Social Security numbers and credit-card numbers.”

Researchers also noted that MFA-bypass kits represent a security blind spot, with the associated IP addresses and domains often skating by VirusTotal detection.

According to Proofpoint, one of the phishing-kit approaches that’s particularly gaining steam is the use of transparent reverse proxies (TRPs), which enable attackers to insert themselves into existing browser sessions. This MiTM approach lets adversaries hide out and harvest information as it’s entered or appears on the screen.

This is a big departure from traditional phishing, which involves attackers creating copycat sites that mimic, say, an actual Windows log-in page in order to trick targets into entering their credentials. That traditional approach leaves plenty of room for red flags to be introduced, such as outdated logos, poor syntax, spelling errors and the like.

TRP kits show “the actual website to the victim,” researchers noted in a Thursday analysis. “Modern web pages are dynamic and change frequently. Therefore, presenting the actual site instead of a facsimile greatly enhances the illusion an individual is logging in safely.”

Meanwhile, attackers will hang out and steal session cookies, which can then be used by the threat actor to gain access to the targeted account without the need for a username, password or MFA token.