Penetration testers and attackers have a new tool in their arsenal that can be used to automate phishing attacks in a way that defeats two-factor authentication (2FA) and is not easy to detect and block, reports CSO Magazine.
The tool makes such attacks much easier to deploy, so organizations should adapt their anti-phishing training accordingly.
The new toolkit was presented last month at the Hack in the Box conference in Amsterdam and was released on GitHub after a few days. It has two components: A transparent reverse-proxy called Muraena and a Docker container for automating headless Chromium instances called NecroBrowser.
To overcome 2FA, attackers need to have their phishing websites function as proxies, forwarding requests on victims' behalf to the legitimate websites and delivering back responses in real time. The final goal is not to obtain only usernames and passwords, but active session tokens known as session cookies that the real websites associate with logged-in accounts.
These session cookies can be placed inside a browser to access the accounts they're associated with directly without the need to authenticate.
This proxy-based technique is not new and has been known for a long time, but setting up such an attack required technical knowledge and involved configuring multiple independent tools such as the NGINX web server to run as reverse-proxy. Then the attacker needed to manually abuse the stolen session cookies before they expire. Furthermore, some websites use technologies like Subresource Integrity (SRI) and Content Security Policy (CSP) to prevent proxying, and some even block automated browsers based on headers.
Secure Working From Home During Coronavirus
In the wake of the coronavirus, many organisations internationally are allowing people to work from home to lessen the risk of contagion, but is this wise from a cybersecurity point of view? While companies generally have a cybersecurity policy in place that governs the use of anti-virus and firewall protection, individuals without any tech knowledge could fall foul of cybercriminals.read more
Crypto Miners, Targeted Ransomware Dominate the Threat Landscape
Twenty-eight per cent of all organisations worldwide were impacted by malicious multi-purpose botnets and targeted ransomware attacks rose by 20% according to Check Point Research, the Threat Intelligence and Research arm of Check Point Software.read more
Kaspersky's Top 7 Mobile Security Threats in 2020
Mobile device security threats are on the rise. In 2014, Kaspersky detected almost 3.5 million pieces of malware on more than 1 million user devices.read more
SEC Releases Guide To Combat Cybersecurity Threats
The Securities and Exchange Commission has released a guide to best practices to combat cybersecurity infractions, data loss and privacy breaches.read more