Academics discovered more than 1,200 phishing kits equipped with the ability to intercept users’ two-factor authentication (2FA) codes in the wild.

Two types of 2FA phishing

As noted by researchers from Stony Brook University sponsored by security firm Palo Alto Networks, many of the toolkits referenced above used what’s known as man-in-the-middle (MitM) phishing.

These tools enabled threat actors to bypass 2FA procedures by working as reverse proxies. Here, the toolkits relayed traffic between the victim, the malicious site and the targeted service.

A user who fell prey to one of these MitM toolkits did succeed in authenticating themselves on the legitimate service. However, the reverse proxy meant the attacker also gained access to a copy of the authentication cookie.

With that cookie in their possession, the malicious actor had the option of abusing access to their victim’s account. That way, they could steal stored information or conduct payment card fraud. The attacker also had the choice of monetizing the cookie on a darknet marketplace.

Real-time phishing

Note that MitM phishing is different than real-time phishing. The latter requires a human operator to monitor a user’s interaction with a malicious landing page in real-time. The human operator sits in front of a web panel, waiting for the user to submit their credentials to the imposter site. Once that happens, they then use those same details to authenticate themselves on the legitimate service’s web page as their victim.

First, the attacker receives a prompt to submit a 2FA code. Then, they push a button and generate a prompt for the victim to retrieve the code via SMS-based text message, authentication app or other methods. The malicious actor then submits the code and gains access to the victim’s account.

From an attacker’s perspective, MitM phishing can free them from needing to actively monitor an authentication session. But this type of phishing isn’t ideal in every use case. As noted by The Record, real-time phishing toolkits tend to be more prevalent in attacks targeting banks. This is because the login sessions don’t last as long and every authentication request prompts the need for a new 2FA code.

A phishing-filled 2021

Phishing attacks reached unprecedented heights in 2021. By the end of the second quarter, for instance, credential phishing attempts accounted for 73% of advanced attack attempts. That was up from two-thirds back in Q4 2020.

The third quarter followed a similar course. As reported by APWG via Help Net Security, security researchers detected 260,642 attacks in July 2021 alone. That was the highest monthly total since the researchers began sharing their findings back in 2004.

In addition, the number of targeted brands jumped from just over 400 in the early part of the year to 700 by the end of Q3 2021.

How to protect your business

The Record predicted that the MitM toolkits discussed above are only the beginning. They expect most phishing attacks will include it in the near future.

Therefore, it’s important that organizations invest in defending against a phish. They can do this by blending multifactor authentication and other technical controls with regular phishing simulations for all employees including senior management. At the same time, consider alerting the Federal Trade Commission, FBI and other agencies to some of the phishing attempts analyzed by IT and security teams.