In the never ending game of cat and mouse, cyber criminals have found a way to bypass two-factor authentication. While the method is newer, the techniques and methods are not. By simply combining a normal phishing site along with a proxy, malicious actors are able to intercept two-factor auth codes and authenticated cookies.
Standard phishing emails are used, with messages asking people to update their passwords, log in to confirm an account, etc. Previously, when someone browsed to those malicious sites via the links, they would enter their account name and password. The malicious actor would harvest those credentials, and could try to use them to gain access to accounts on many sites. Two-factor authentication, when used properly, would prevent the malicious login since the attacker would never receive the authentication code. Now, with this new application of old techniques, they're able to steal not only the credentials, but also the two-factor code and even authenticated session cookies.
The proxy bypass technique would look something like this:
- A user receives a phishing email, clicks the malicious link, and enters their credentials
- The link sends the connection through a proxy server to the actual website (Microsoft login, Google login, etc)
- A legitimate MFA page is proxied back to the user from the website that's being intercepted by the proxy
- The user puts in their two-factor authentication code, which is sent via the proxy to the legitimate website. At this point, the two-factor auth code can be considered compromised
- Website returns an authenticated session cookie to the proxy, which is relayed to the user's browser. At this point, the malicious actor has the authenticated session cookie, username, password, and two-factor code and can log in to the actual site as the victim
- The user is redirected to another page. It's likely that the legitimate Microsoft, Google, or other site is loaded
No comments:
Post a Comment