How to protect your MFA against phishing attacks based on reverse-proxy tools
Growing adoption of multifactor authentication (MFA) has inspired phishing actors to develop even more sophisticated solutions to further their malicious operations, including reverse proxy tools. Though there is one missing piece of information to highlight: it is not only the MFA solutions, but the tokens themselves that do not have the same characteristics and level of protection against phishing attacks.
Increasing adoption of multifactor authentication (MFA)
Multifactor authentication (MFA)Â has not only increased in popularity following the rapid shift to working-from-home (WFH). It has also been made mandatory across specific products and in some industries due to regulatory requirements.
Financial services, for instance, have been required to comply with the European directive PSD2 which imposes them to set-up strong customer authentication (SCA) for online banking access, payment and transaction by using MFA solutions. And while Google has recently decided to implement two-factor authentication (2FA) on all Google accounts, Salesforce has just made MFA mandatory to access their products.
With MFA, end-users must provide a second authentication factor other than the traditional login+password. This second factor can be a one-time password (OTP) sent by SMS / email, or a authentication token (software or hardware token).
Phishing attackers' ways to bypass MFA
For a phishing attacker, this extra step with MFA means that stealing the traditional account details (i.e the login+Password) is no longer enough to take control.
Therefore, you can imagine that this has driven phishing actors to develop even more sophisticated solutions to find a way to bypass MFA and continue their malicious operations using reverse proxy tools.
Following Proofpoint’s recent report, the word is spreading that MFA is threatened by phishing attackers adopting reverse proxy solutions.
Phishing kit MFA
As Proofpoint’s report details, phishing actors can quite easily purchase MFA kits for less than a cup of coffee. Researchers have identified different types of kits: it can either be a simple open-source kit with human-readable code and no-frills functionality, or a more sophisticated kit that uses several layers of obfuscation and modules to steal usernames, passwords, multifactor authentication tokens, social security numbers and credit card numbers.
Reverse proxy tools to bypass MFA
Later on, Proofpoint researchers spotted a new kind of kit. This one uses a transparent reverse proxy presenting to the victime a website with the exact same look and feel than the legitimate one. In other words, these new kits are designed to have a very reliable version of the original website.
The reverse proxy offers the same content on a different URL. It changes the URLs in the blink of an eye and delivers the same user experience as the original application. This way, the user, or victim in this situation, really feels as if they are interacting with the legitimate one.
All this setup is done for the malicious person to intercept any element shared between the application and the user, such as credentials but also the session cookies. Once the session cookie is stolen, the attacker can inject it into their own browser to steal the user’s session and interact with the application as if they were the legitimate user without needing to re-authenticate.
These new generations of phishing kits using reverse proxy makes it possible to bypass the login/password entry but also other authentication methods such as a 2FA or MFA. Thus, and according to Proofpoint researchers, these kits will witness a slight increase and we can expect to see more adoption by attackers as the widespread adoption of MFA forces them to adapt.
Deviceless MFA to be fully protected against phishing kits targeting MFA
It is not only the MFA solutions, but the tokens themselves that do not have the same characteristics and level of protection against phishing attacks.
Deviceless MFA, what is it exactly?
Deviceless MFAÂ is a multifactor authentication technology that allows end users to authenticate and access their apps, network and data only by using any browser, without the need to have a physical key, a smartphone or company-owned computer, or to install specific hardware or software.
“With the Deviceless MFA, it is the web browser that becomes the trusted token.”
Token browser to counter phishing kits that target the MFA
Deviceless MFAÂ (browser token) is the most reliable token to protect from phishing attacks. It is indeed the only token that can verify that the url on which the authentication is attempted is legitimate, thus blocking any phishing attempt done on a version of the legitimate application modified by the reverse proxy using another URL than the legitimate one.
Phishing is one of the most common methods of cybercrime. Phishing is a technique used by hackers to obtain personal information with the intention to usurp an identity. The most common cases of phishing attacks are: (i) a legitimate-looking email requesting bank account information or financial services login credentials in order to steal money, and (ii) an attempt to obtain an employee’s login credentials to professional networks to which they may have access.
IT experts all agree on the vulnerability of passwords and the main cause of many phishing attacks. Therefore, to protect against this type of attack, it is necessary to strengthen the entry to the data (company network, applications, bank account, etc.) with a multi-factor authentication solution. MFA is recognized as the most effective security measure against hackers and phishing attacks.
Unlike common belief, not all multi-factor authentication mechanisms are equal and some can indeed be compromised. It has recently been discovered that there are phishing kits based on reverse-proxy tools that target MFA. Therefore, to effectively protect against phishing attacks, the most reliable token is Deviceless MFA. This is a browser-based authentication that verifies the legitimacy of login URLs.
