Years of research effort Collaboration between computer scientists at Stony Brook University and private industry researchers has uncovered more than 1,000 new and more sophisticated automated phishing toolkits around the world.What’s interesting about this work is that these tools can use two key technologies, man-in-the-middle (MITM) and Reverse network proxy. Let’s talk about how the attack works, how these tools were discovered in the wild, and what you can do with them to continue using MFA to protect your own login information.
A typical MFA routine uses an additional one-time code (usually six digits), which will only work for one minute when the user tries to complete the login request for their account.The code is sent in multiple ways — We told you before Why is it better to use SMS than to use a separate MFA smartphone app.
The role of the Phishing Automation Toolkit is to intercept this code, either by stealing cookies on your computer or tricking you into sending the code to an attacker when you think you have entered the code into a legitimate location as part of the login process. This article It explains the difference between the two methods and includes a video in which the researchers of the Discovery Toolkit present their findings.
This Phishing Tools bring an impressive degree of automation: they can easily obtain a static copy of the current web page from the target website, provide services to the victim, and prevent detection through a camouflage mechanism—at the same time, the attacker requires minimal effort.New version use The malicious reverse proxy server forwards the request and response between the victim and the target Web server, while extracting the credentials and session cookies used in the authentication process. This has two important advantages: First, the attacker does not have to worry about keeping the fake website up-to-date, because the user is seeing the “real” target website. Second, automation replaces the need for manual communication to obtain a one-time MFA password.
Reverse proxy server It is almost as long as the original web server and is used in various legal ways to simplify security and balance the web server traffic load.Popular open source versions include Squid and Nginx, which are incorporated into various Commercial Cloud Access Security Agent as well as. But like anything else on the Internet, there are many ways to use these servers, for better or for worse. One of the most notorious users of reverse proxies is Adrian Lamo, a hacker who deployed reverse proxies to break into various commercial systems. I met Lamo in 2002, Before he was convicted for an attempt in the New York Times, and before he became infamous for abandoning Chelsea Manning Sources that leaked U.S. government documents to WikiLeaks.
Researchers analyzed 13 different versions of three phishing toolkits and created fingerprints for network traffic passing through these tools.This fingerprint is encoded into what they call a test program Fica And make it available to other researchers for trial on GitHub. Starting from March 2020, they have been running various phishing websites through PHOCA for a year and found that 1,220 websites are using phishing kits suitable for their personal data.
This represents a huge leap in their popularity, which may be because most of these phishing tools are free to download and easy to learn and use (thanks to various online tutorial videos and hacker forums). The diagram of how PHOCA works is copied from the research paper below:
(Image Source: Capture transparent phishing: analysis and detection of MITM phishing toolkit)
Phishing tools are also easy to deploy across cloud hosting infrastructures because they can all be set up and deleted quickly. Half of the phishing domains were registered one week before the attack, and one-third of the tools shared a public IP address with a legitimate domain. Both of these methods make detection more difficult and demonstrate some understanding of how attackers work.
An interesting result is that these phishing toolkits occupy a blind spot in the phishing block list. Less than half of the domains and one-fifth of the IP-related addresses were found in these block lists, including in a commercial set. . This means that better detection algorithms are needed to prevent potential attacks, and a security vendor has implemented PHOCA rules in their own network scanners. “Phishing block list services must take a more proactive approach to discover phishing content,” said the author of the paper.
What are the key points of this work?
The first is an interesting observation by researchers: “The real-time traffic proxy of the MITM phishing toolkit enables them to launch powerful phishing attacks and exposes them to fingerprint recognition that traditional phishing techniques cannot obtain.” This is of course a Very good benefit.
Second, the website should implement more powerful countermeasures. One method is to use a separate communication channel to complete the MFA login. For example, the collection URL can be sent to the user through a second secure communication channel (e.g. email).
Finally, the website should work harder to implement FIDO Universal Two Factors Protocol as the preferred MFA method. This will ultimately defeat MITM and reverse proxy attacks.
