More than 1200 phishing kits that can intercept 2fa detected in the field

A group of scholars said , They found out 1,200 Multiple phishing toolkits deployed in the wild , These toolkits can intercept and allow cyber criminals to bypass two factor authentication (2FA) Security code .

Also known as  MitM（ A middleman ） Phishing Kit , Major technology companies are beginning to 2FA As the default security function for its users , These tools have become very popular in the underworld of cyber crime in recent years .

The immediate result is , Threat actors who try to trick users into entering credentials on phishing sites find that stolen credentials become useless , Because they can't get around 2FA Program .

In response to this new trend in account security , At least from 2017 Year begins , Threat actors are beginning to adopt new tools , Allow them to steal user authentication cookie To bypass 2FA 2FA The account after the process is completed .

in the majority of cases , Cyber criminal organizations rely on a system called “ Information thieves ” The malware category of steals these authentications from the computer they try to infect cookie file .

However , There is another way to steal these files without depending on infecting the computer with malware —— namely , By stealing authentication as they transfer the Internet from the service provider to the user's computer cookie.

explain ： Real time phishing -vs- Middleman phishing

In the past few years , Cyber criminals have been slowly tweaking their old phishing kit to get around 2FA Program , Mainly through the use of two technologies .

The first is called “ Real time phishing ”, It depends on the operator sitting Web Front panel , At the same time, users browse phishing sites and interact with them .

The idea is , Once users enter their credentials on the phishing site , The operator will use these credentials to authenticate himself on the real site .

When an attacker faces 2FA Challenge , Threat participants simply press a button , Prompt the user to enter the actual 2FA Code （ By E-mail 、 SMS or authenticator applications receive ）, Then collect and input on the real site 2FA token , In their （ The attacker ） Establish a legal connection between the system and the victim's account .

Usually , The real-time phishing tool is used to invade the Internet banking portal , The user login session will not be active for more than a few minutes , And each reauthentication request requires another 2FA Code .

Attackers using real-time phishing do not bother to collect authentication cookie—— Because their life cycle is very short —— And it usually steals user funds from the account immediately , Burn their access .

however , Email provider 、 Social media accounts 、 Game services, etc ​​ The service has looser rules for user login sessions , And they create Authentication cookie Sometimes it works for years .

Once these files are available , Even if the owner doesn't know , These files can also allow attackers to access accounts in a more stable and undetectable way .

This is where the man in the middle phishing toolkit has proven useful for threat participants who do not want to get involved in distributing information to steal malware .

contrary , They use a phishing toolkit suitable for use as a reverse proxy  , In the victim (1)、 Phishing sites (2) And legal services (3) Relay traffic between .

stay MitM An authenticated user on a phishing site actually logs in to a legitimate site , But because all traffic passes through the reverse proxy system , The attacker also has authentication cookie Copy of , Then he can abuse it or resell it to authentication in a special underground market cookie Transactions .

picture ：KONDRACKI wait forsomeone

In a way , The middleman phishing toolkit is a real-time phishing toolkit , But no manual operation is required , Because everything is automated through reverse proxy .

Here's the irony , today , Many of these MitM Phishing toolkits are based on tools developed by security researchers , for example  Evilginx、  Muraena and  Modlishka.

MitM Phishing kits are becoming more and more popular

In a study published last month , From Shixi University and security company Palo Alto Networks According to the scholar , They analyzed these three MitM Phishing toolkit 13 A version , And created fingerprints for network traffic through one of the tools .

They used their findings to develop a new technology called PHOCA Tools for  , This tool   It can detect whether the phishing site is using a reverse proxy —— This is an attacker trying to bypass 2FA And collect authentication cookie It's not just a clear sign of credentials .

The researchers say , Their direction PHOCA Provides 2020 year 3 Month to 2021 year 3 During the month, the network security community reported as phishing sites URL, Find out about it 1,220 Sites used MitM Phishing Kit .

according to RiskIQ The late researcher Yonathan Klijnsma The statistical data provided to our reporter at that time , This number is related to 2018 The end of the year and 2019 Active at the beginning of the year is about 200 The number of phishing sites running reverse proxy has increased significantly  .

This rise indicates that these tools, as well as general MitM Phishing toolkit is becoming more and more popular in the cyber crime ecosystem .

One reason they do this may also be related to the following facts ： Most of them are free to download 、 Easy to run , And there are a lot of tutorials and collaboration requests on the hacker Forum , Help threat actors become familiar with this new technology .

With 2FA More widely used in online services , at present , All indications are that , Most phishing operations will eventually evolve to include the middleman function in their standard functions at some point in the near future . They have no reason not to do so , This is why this study was first carried out .

More information about this study , The researchers were in ACM CCS 2021 Their findings were presented at the safety meeting .