In recent years, a troubling trend has emerged in the realm of cybersecurity: an entire cottage industry dedicated to executing phishing attacks that effectively bypass some of the most common forms of multifactor authentication (MFA). This development allows even non-technical users to quickly create malicious sites that undermine protections against account takeovers. MFA is designed to enhance security by requiring an additional authentication factor beyond just a password, such as a fingerprint, face scan, or a digital key. In theory, this mechanism prevents unauthorized access even if an attacker manages to steal a victim’s username and password.
Typically, the second factor in MFA is a one-time passcode (OTP), which is sent to the user via text message or email, or generated by an authentication app that the user has previously set up. However, as recent reports from cybersecurity experts, including Cisco Talos, reveal, a new wave of phishing tactics threatens to compromise the effectiveness of these security measures.
The technique of choice for these cybercriminals is known as an adversary in the middle attack. This method involves creating a proxy server that sits between the victim and the legitimate site they are attempting to access. Phishing-as-a-service toolkits, marketed in various online crime forums under names like Tycoon 2FA, Rockstar 2FA, Evilproxy, Greatness, and Mamba 2FA, provide all the necessary code to execute these attacks.
The phishing attack typically begins with the victim receiving a deceptive message urging them to log into their account, often claiming that their account has been compromised and needs immediate attention. The provided link may resemble the legitimate account URL but is subtly altered. For example, instead of directing users to https://accounts.google.com, the URL may read https://accounts.google.com.evilproxy.com. In their urgency to secure their accounts, victims may overlook the discrepancy in the URL.
Once the victim clicks the malicious link, they are redirected to the attacker's proxy server, which, thanks to the phishing toolkit, mimics the real login page of the legitimate site. The victim then enters their username and password, unaware that their credentials are being forwarded to the actual site. In response, the legitimate site sends an MFA request back to the proxy server, which then relays it to the victim. Expecting to log in, the victim submits their MFA code, granting the attacker access to their account.
The primary flaw in many MFA systems is that the codes themselves are phishable. Since these codes consist of numbers (and sometimes letters), they are as easy for attackers to capture and use as traditional passwords. This vulnerability extends to push notifications; if a victim clicks the notification, the attacker can gain access just as easily. The user-friendly nature of phishing toolkits means that even those with minimal technical expertise can create convincing phishing pages and proxy servers.
These types of adversary-in-the-middle attacks have become alarmingly prevalent. For instance, in 2022, a single group utilized this tactic to steal over 10,000 credentials from 137 organizations, resulting in significant breaches, including the network compromise of authentication provider Twilio. One notable organization that avoided a breach during this campaign was the content delivery network Cloudflare, thanks to its adoption of MFA based on the WebAuthn standard.
WebAuthn offers robust protection against adversary-in-the-middle attacks, making it a preferred choice for organizations. There are two critical reasons for WebAuthn's effectiveness: first, WebAuthn credentials are cryptographically bound to the specific URL they authenticate. For example, credentials would only work on https://accounts.google.com, and would fail if the user attempted to log in via https://accounts.google.com.evilproxy.com.
Second, WebAuthn-based authentication must occur on or near the device being used for login. This cryptographic binding to the device adds another layer of security, making it nearly impossible for an adversary in the middle to exploit the credentials during a phishing attack.
Phishing remains one of the most persistent and challenging security issues faced by organizations, their employees, and users alike. Although traditional MFA methods, such as one-time passwords and push notifications, do introduce some hurdles for attackers, the rise of proxy-in-the-middle attacks makes these methods increasingly vulnerable. In contrast, WebAuthn-based MFA, often implemented through security keys stored on devices like phones, computers, or Yubikeys, is gaining traction as a secure alternative.
With thousands of sites now supporting WebAuthn, it’s easier than ever for end users to enroll. Furthermore, MFA based on U2F—WebAuthn's predecessor—also effectively thwarts adversary-in-the-middle attacks, though WebAuthn offers enhanced flexibility and security features.
