BREAKINGON

Phishing Attacks Bypass MFA: The New Threat to Your Online Security

5/2/2025
A new wave of phishing attacks is targeting multifactor authentication (MFA), allowing even non-technical users to bypass security measures. Discover how hackers are exploiting vulnerabilities and what you can do to protect yourself.
Phishing Attacks Bypass MFA: The New Threat to Your Online Security
Learn how phishing attacks are now bypassing multifactor authentication, putting your online accounts at risk. Find out how to safeguard your information.

The Rise of Phishing Attacks Bypassing Multifactor Authentication (MFA)

In recent years, a troubling trend has emerged in the realm of cybersecurity: an entire cottage industry dedicated to executing phishing attacks that effectively bypass some of the most common forms of multifactor authentication (MFA). This development allows even non-technical users to quickly create malicious sites that undermine protections against account takeovers. MFA is designed to enhance security by requiring an additional authentication factor beyond just a password, such as a fingerprint, face scan, or a digital key. In theory, this mechanism prevents unauthorized access even if an attacker manages to steal a victim’s username and password.

Understanding Multifactor Authentication

Typically, the second factor in MFA is a one-time passcode (OTP), which is sent to the user via text message or email, or generated by an authentication app that the user has previously set up. However, as recent reports from cybersecurity experts, including Cisco Talos, reveal, a new wave of phishing tactics threatens to compromise the effectiveness of these security measures.

The Adversary in the Middle Attack Technique

The technique of choice for these cybercriminals is known as an adversary in the middle attack. This method involves creating a proxy server that sits between the victim and the legitimate site they are attempting to access. Phishing-as-a-service toolkits, marketed in various online crime forums under names like Tycoon 2FA, Rockstar 2FA, Evilproxy, Greatness, and Mamba 2FA, provide all the necessary code to execute these attacks.

The phishing attack typically begins with the victim receiving a deceptive message urging them to log into their account, often claiming that their account has been compromised and needs immediate attention. The provided link may resemble the legitimate account URL but is subtly altered. For example, instead of directing users to https://accounts.google.com, the URL may read https://accounts.google.com.evilproxy.com. In their urgency to secure their accounts, victims may overlook the discrepancy in the URL.

How the Attack Unfolds

Once the victim clicks the malicious link, they are redirected to the attacker's proxy server, which, thanks to the phishing toolkit, mimics the real login page of the legitimate site. The victim then enters their username and password, unaware that their credentials are being forwarded to the actual site. In response, the legitimate site sends an MFA request back to the proxy server, which then relays it to the victim. Expecting to log in, the victim submits their MFA code, granting the attacker access to their account.

The Vulnerability of Traditional MFA

The primary flaw in many MFA systems is that the codes themselves are phishable. Since these codes consist of numbers (and sometimes letters), they are as easy for attackers to capture and use as traditional passwords. This vulnerability extends to push notifications; if a victim clicks the notification, the attacker can gain access just as easily. The user-friendly nature of phishing toolkits means that even those with minimal technical expertise can create convincing phishing pages and proxy servers.

These types of adversary-in-the-middle attacks have become alarmingly prevalent. For instance, in 2022, a single group utilized this tactic to steal over 10,000 credentials from 137 organizations, resulting in significant breaches, including the network compromise of authentication provider Twilio. One notable organization that avoided a breach during this campaign was the content delivery network Cloudflare, thanks to its adoption of MFA based on the WebAuthn standard.

WebAuthn: The Solution to Phishing Vulnerabilities

WebAuthn offers robust protection against adversary-in-the-middle attacks, making it a preferred choice for organizations. There are two critical reasons for WebAuthn's effectiveness: first, WebAuthn credentials are cryptographically bound to the specific URL they authenticate. For example, credentials would only work on https://accounts.google.com, and would fail if the user attempted to log in via https://accounts.google.com.evilproxy.com.

Second, WebAuthn-based authentication must occur on or near the device being used for login. This cryptographic binding to the device adds another layer of security, making it nearly impossible for an adversary in the middle to exploit the credentials during a phishing attack.

The Growing Threat of Phishing

Phishing remains one of the most persistent and challenging security issues faced by organizations, their employees, and users alike. Although traditional MFA methods, such as one-time passwords and push notifications, do introduce some hurdles for attackers, the rise of proxy-in-the-middle attacks makes these methods increasingly vulnerable. In contrast, WebAuthn-based MFA, often implemented through security keys stored on devices like phones, computers, or Yubikeys, is gaining traction as a secure alternative.

With thousands of sites now supporting WebAuthn, it’s easier than ever for end users to enroll. Furthermore, MFA based on U2F—WebAuthn's predecessor—also effectively thwarts adversary-in-the-middle attacks, though WebAuthn offers enhanced flexibility and security features.

Breakingon.com is an independent news platform that delivers the latest news, trends, and analyses quickly and objectively. We gather and present the most important developments from around the world and local sources with accuracy and reliability. Our goal is to provide our readers with factual, unbiased, and comprehensive news content, making information easily accessible. Stay informed with us!
© Copyright 2025 BreakingOn. All rights reserved.