How Phishing Can Overcome 2FA

Threats and Attacks

How Phishing Can Overcome 2FA

Read more
Jun 17, 2019

Phishing is a serious and ever-present threat to businesses and individuals

The development of increasingly sophisticated methods coupled with high success rates has caused phishing attacks to double over the past year.

While phishing comes in many forms, all phishing methods are in essence an attempt to extract credentials from an unsuspecting user through some form of trickery or outright manipulation.

Ignoring the Root Cause

Here on the Octopus Blog, we’ve written extensively on the threat of phishing and why conventional methods to address the problem are inherently inadequate because they fail to address the root cause – password-based authentication. Traditional solutions to protect against phishing offer only a band-aid approach because they fail to address the vulnerability that is enabling all phishing attacks – passwords.


The Impenetrable Two-factor Wall is Breached

Two-factor Authentication (2FA) has long been viewed as the ace-in-the-hole for combating phishing attacks. The logic behind this view is pretty straightforward: if an account is protected by an additional factor, stealing the password won’t be enough to grant a hacker access.

Last month, participants at the Hack-in-the-Box conference in Amsterdam unveiled a toolkit capable of automating phishing attacks that can circumvent even two-factor authentication (2FA).


How they Pulled it Off 

The tool kit presented at the Hack-in-the-Box conference in May, dubbed the Muraena-NecroBrowser pair, was based on a clever solution to overcome the 2FA obstacle. Even the more sophisticated versions of phishing, in which attackers create fake web pages to trick users into entering credentials, fall short in overcoming second factors. Such a ‘static attack’ cannot interact with the actual website cybercriminals are trying to access. Thus they have no way of generating a legitimate second factor from that site–such as a one-time passcode delivered via email or SMS.



What this means practically speaking, is that even if hackers convinced a user to log on to their fake site–say, through social engineering for example–hackers will still be missing the essential second factor.

The new method takes an innovative approach to this problem. Instead of simply creating a fake webpage, the toolkit acts as a proxy between the victim and a legitimate website. When the unknowing user enters his or her password, the website itself receives the attempted login. This triggers the generation of an authentic second factor. After the victim completes the login process, hackers can continue operating on the site through the compromised account, utilizing the legitimate.

As pointed out by several observers, the vulnerabilities that allow this type of phishing to take place have been known for years. Indeed, industry leaders such as Google have warned that the use of techniques to overcome 2FA similar to Muraena-NecroBrowser have been on the rise for quite some time. However, until now, a fairly advanced technical know-how was necessary to capitalize on these weaknesses.

The production of this automated toolkit is a game changer. It demonstrated that cybercriminals with even a perfunctory knowledge could potentially execute these complex attacks.


The Writing on the Wall

While many experts have recognized the important implications of Muraena-NecroBrowser, seemingly none have come to the obvious conclusion as to what to do about them. Most have taken the news as just another reason to apply existing methods such as “anti-phishing training” and the like.

But the real lesson from the most recent Hack in the Box conference is clear: no method, no matter how elaborate, is full proof in preventing phishing attacks. As long as passwords remain at the heart of authentication and 2nd factor needs to be entered manually (SMS, OTP)  hackers will figure out how to steal them.   

Organizations should search for an authentication solution that is designed to prevent man-in-the-middle attacks. Passwords are not the problem here – even if the user only uses one-time-codes, he will still be vulnerable – the solution to this sort of attacks is advance cryptography of the likes of Secret Sharing, assuring the authentication information is routed by multiple channels.

More Things That Might Interest You

Threats and Attacks

Addressing the Log4j Vulnerability

Read more
Dec 14, 2021

Threats and Attacks

Why Defense-in-Depth is Key to Defeating Ransomware

Read more
Sep 23, 2021

Threats and Attacks

Protecting Enterprises from State-Sponsored Hacks

Read more
Jul 1, 2021