Phishing Attacks Bypassing 2-Factor Authentication

Penetration testers and attackers have a new tool in their arsenal that can be used to automate phishing attacks in a way that defeats two-factor authentication (2FA) and is not easy to detect and block, reports CSO Magazine.


The tool makes such attacks much easier to deploy, so organizations should adapt their anti-phishing training accordingly.


The new toolkit was presented last month at the Hack in the Box conference in Amsterdam and was released on GitHub after a few days. It has two components: A transparent reverse-proxy called Muraena and a Docker container for automating headless Chromium instances called NecroBrowser.


To overcome 2FA, attackers need to have their phishing websites function as proxies, forwarding requests on victims' behalf to the legitimate websites and delivering back responses in real time. The final goal is not to obtain only usernames and passwords, but active session tokens known as session cookies that the real websites associate with logged-in accounts.


These session cookies can be placed inside a browser to access the accounts they're associated with directly without the need to authenticate.


This proxy-based technique is not new and has been known for a long time, but setting up such an attack required technical knowledge and involved configuring multiple independent tools such as the NGINX web server to run as reverse-proxy. Then the attacker needed to manually abuse the stolen session cookies before they expire. Furthermore, some websites use technologies like Subresource Integrity (SRI) and Content Security Policy (CSP) to prevent proxying, and some even block automated browsers based on headers.

more news

TrendMicro Midyear Cybersecurity Assessment


The first six months of 2019 saw organisations dealing with a broad range of incoming threats and, more urgently, tackling threats that had already gained a foothold in their systems, according to the midyear trend assessment carried out by TrendMicro.

read more

DOS And DDOS - What's The difference


Online knowledge base Wikipedia suffered an outage at the weekend following a Distributed Denial Of Service (DDOS) attack. The company released a statement: "Wikipedia was hit with a malicious attack that has taken it offline in several countries for intermittent periods. The attack is ongoing and our Site Reliability Engineering team is working hard to stop it and restore access to the site."

read more

Hackers Targeting Office 365 A Growing Threat


The UK's National Cyber Security Centre has published its incident trends report for October 2018 and April 2019 and it is not good news for Office 365 users. The report states that cloud services, and Office 365 in particular, have become the primary target observed in recent months.

read more

New Canon Survey Reveals Critical Gaps in Companies' Cybersecurity Agendas


While digital transformation helps companies work smarter, there is a risk that the ongoing digitization may unlock a host of security vulnerabilities that can cost companies money, time, intellectual property, and customer trust. In its latest Office of the Future survey, released today by Canon USA.

read more