Phishing as a Service Scam Allows Criminals to Bypass Multi-Factor Authentication

Cyber security researchers have discovered a toolkit for sale on the dark web that allows criminal hackers to bypass MFA (multi-factor authentication) mechanisms and break into organisations’ systems.

The toolkit, dubbed ‘EvilProxy’, is available on a subscription basis for up to $400 (about €395) a month. It’s the latest in a series of PhaaS (phishing-as-a-service) models that enable criminals to target organisations through automated means.

Unlike traditional phishing scams, fraudsters don’t to spend time crafting pretexts and exploiting vulnerabilities. This technique makes cyber crime easier to conduct, and with its ability to circumvent MFA, it makes attacks far more dangerous.

The discovery of EvilProxy comes alongside a report from the Cloud security firm Mitiga, which found that cyber criminals are combining phishing with AitM (adversary in the middle) techniques to bypass MFA.

The attack targets the Cloud-based Office 365 accounts of executives, with fraudsters engaging in prolonged correspondences with business executives. During the communication, the fraudster will request payment for an outstanding invoice and provide doctored account details.

Adversary in the middle

You might not be familiar with the term ‘adversary in the middle’; it’s a relatively new type of phishing that borrows from the established technique of MitM (man-in-the-middle) attacks.

Mitiga’s research found that the attackers sent emails imitating DocuSign that, when clicked, redirected users to what appears to be a Microsoft 365 login page.

If the user enters their details, they are inadvertently handing their information over to the attackers.

This is the basis of a traditional phishing scam, but the attack has a second layer, with the fraudsters employing a proxy server that sits between the client and the real Microsoft server.

It’s this that enables them to bypass MFA. When the victim is asked to provide their additional credentials, it returns a valid session cookie, and the attacker uses the proxy server to take control of the victim’s session.

With these permissions, the attacker can set up MFA on the account for themselves without alerting the original user. This enables them to log into the account later to monitor emails and other activity.

Although Mitiga’s research focused on attacks exploiting Office 365, the PhaaS model available on the dark web can be used for more than a dozen websites, including Apple iCloud, Facebook, GoDaddy, GitHub, Dropbox, Instagram, Microsoft, NPM, PyPI, RubyGems, Twitter, Yahoo and Yandex.

Is multi-factor authentication secure?

The nature of this attack might leave some people questioning the merits of MFA. It’s regarded as one of the most effective ways to secure an account, but it has been criticised for its cumbersome implementation and inconvenience.

Users typically have to install an authentication app on their phone, and therefore must have it with them every time they log in.

Most people accept the trade off, but if attacks such as the ones we’ve discussed here diminish the security benefits of MFA, the balance might shift.

Speaking to ZDNet, Mitiga Chief Technology Officer Ofer Maor said: “Cyberattacks are a business – and they can’t give up their income just because someone built a new security control.

“MFA seemed like a great control against phishing attacks, and was so for a while, as the attackers just opted to go after those who did not have it in place. But now that it’s widespread, the attackers developed technologies to overcome this.”

So is it time we looked for other solutions? Microsoft has been attempting to move away from MFA with its concept of ‘passwordless security’, but there’s no evidence that it will be any more beneficial in the fight against cyber crime.

The fact is that cyber criminals will always find a way to exploit weaknesses. Fortunately, attacks exploiting MFA weaknesses are rare – particularly when compared to traditional phishing and brute-force password attacks.

MFA is crucial in mitigating those forms of attack, and it remain a crucial part of organisations’ and individuals’ cyber security practices. However, as is always the case, you shouldn’t rely on technology alone to prevent security incidents.

This attack method, like all forms of phishing, relies on employees falling for the bait. It’s only when this happens that attackers can target the vulnerabilities in MFA.

If you can teach your employees to spot the signs of a malicious message and respond appropriately, you can cut scammers off at the source.

You can teach them how to do that by enrolling them on our Phishing Staff Awareness Training Programme.

This online course uses real-world examples like the ones we’ve discussed here to explain how phishing attacks work, the tactics that cyber criminals use, and how employees can detect malicious emails.

The content is updated quarterly to include recent examples of successful attacks and the latest trends that criminals use.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.