Phishing Attacks Bypassing 2-Factor Authentication

Penetration testers and attackers have a new tool in their arsenal that can be used to automate phishing attacks in a way that defeats two-factor authentication (2FA) and is not easy to detect and block, reports CSO Magazine.


The tool makes such attacks much easier to deploy, so organizations should adapt their anti-phishing training accordingly.


The new toolkit was presented last month at the Hack in the Box conference in Amsterdam and was released on GitHub after a few days. It has two components: A transparent reverse-proxy called Muraena and a Docker container for automating headless Chromium instances called NecroBrowser.


To overcome 2FA, attackers need to have their phishing websites function as proxies, forwarding requests on victims' behalf to the legitimate websites and delivering back responses in real time. The final goal is not to obtain only usernames and passwords, but active session tokens known as session cookies that the real websites associate with logged-in accounts.


These session cookies can be placed inside a browser to access the accounts they're associated with directly without the need to authenticate.


This proxy-based technique is not new and has been known for a long time, but setting up such an attack required technical knowledge and involved configuring multiple independent tools such as the NGINX web server to run as reverse-proxy. Then the attacker needed to manually abuse the stolen session cookies before they expire. Furthermore, some websites use technologies like Subresource Integrity (SRI) and Content Security Policy (CSP) to prevent proxying, and some even block automated browsers based on headers.

more news

BA, Marriott Face Massive Fines For Data Loss


If proof was needed that poor data protection is bad for the corporate wallet, two examples have demonstrated that substantial fines face those organisations that have lax data security.

read more

Cumbria First Police Force To Utilise NMC Tools


Cumbria Constabulary has become the first police force to use the National Management Centre (NMC) for cybersecurity set up under the National Police Chiefs’ Council (NPCC).

read more

Phishing Attacks Bypassing 2-Factor Authentication


Penetration testers and attackers have a new tool in their arsenal that can be used to automate phishing attacks in a way that defeats two-factor authentication (2FA) and is not easy to detect and block, reports CSO Magazine.

read more

Third of Breaches Caused By Unpatched Vulnerabilities


IT security professionals have admitted that a third of cybersecurity breaches are the result of vulnerabilities that they should have patched.

read more