With the increasing usage of multi-factor authentication (MFA) for online accounts, phishing actors are turning to increasingly complex solutions, such as reverse-proxy tools, to continue their harmful activities. The COVID-19 epidemic has permanently altered the way people work, demonstrating that working from home is viable and, in some cases, preferred. Companies’ security risks have grown due to this, many of which may be addressed by employing MFA to safeguard their employees’ accounts.
Even Google, a major internet services company, has lately opted to impose two-factor authentication (2FA) on all Google accounts via a phased auto-enrollment procedure. To access an account using MFA, a user must give a second authentication factor in addition to their password. A one-time code given through SMS or email, a token, or a unique cryptographic key can all be used as this factor. This extra step presents a practical difficulty for phishing actors, as just acquiring account credentials is no longer sufficient for them to get control of them.
Due to the increasing adoption of multi-factor authentication (MFA), phishing actors are increasingly turning to transparent reverse proxy solutions, and reverse proxy phish kits have been developed to meet this need. A reverse proxy is a server that resides in the middle of a firewall, between the Internet user and web servers. After that, the reverse proxy redirects visitors’ requests to the proper servers and returns the response. This enables a webserver to serve requests without having to expose itself to the Internet.
According to Proofpoint research, new phishing kits have developed that give templates for creating convincing login web pages that imitate prominent sites. These newest kits are more sophisticated since they now include an MFA snatching mechanism allowing threat actors to take login credentials and MFA codes that would otherwise safeguard the account. When a victim signs into the phishing website, the kit transmits the MFA to the legitimate online service, intercepts the session cookie, and optionally delivers it to the victim.
This allows the victim to access the real site without raising suspicions. Meanwhile, threat actors have stolen the account’s credentials and the cookie required to log in. Proofpoint has detected three types of reverse proxying phishing kits: one that uses Modlishka, another that uses Muraena/Necrobrowser, and one that uses Evilginx2.
Despite the fact that the presence and consequences of these tools have been fully reported, the issue remains largely neglected, and as more phishing actors use them, MFA becomes less secure. Identifying the man-in-the-middle sites used in these attacks is one technique to address the issue.
However, a new study shows that just around half of those are now blocked. The efficacy of blocklists is reduced by the continual refresh of domains and IP addresses used for reverse proxy attacks, as most of these endure between 24 and 72 hours. As a result, adding client-side TLS fingerprinting, which might help identify and filter MITM requests, is the only way to combat the problem.
