More companies are using multi-factor authentication. Hackers are looking for a way to beat it

Multi-factor authentication makes it more difficult for accounts to be hacked - but cyber criminals are persistent and are turning to new means to gain access to accounts.
Written by Danny Palmer, Senior Writer

Phishing attacks are evolving in order to help hackers bypass multi-factor authentication (MFA) protections designed to stop cyber criminals from exploiting stolen usernames and passwords for accounts.

The use of multi-factor authentication, which needs the user to enter a code or sign in to an additional app in order to log in to their account, has grown in recent years, as it's commonly seen as one of the simplest tools that organisations and individuals can deploy across accounts in order to help keep them secure.

But while this has made conducting attacks harder for cyber criminals, that isn't putting them off – and cybersecurity researchers at Proofpoint have detailed how there's been a rise in phishing kits designed to bypass MFA.

SEE: Cybersecurity: Let's get tactical (ZDNet special report)

Phishing kits have long been a popular tool among cyber criminals, allowing them to harvest credentials and use them – in many cases, they're available on the open web and only cost a few dollars, fuelling large numbers of attacks.

Now phishing kits are evolving, boasting tools and techniques that allow cyber criminals to bypass or steal multi-factor authentication tokens. These range from relatively simple open-source kits, to sophisticated kits that come with several layers of obfuscation and modules that allow attackers to steal usernames, passwords, MFA tokens, social security numbers, credit card numbers, and more.

One of the techniques gaining popularity is the use of phishing kits. Rather than relying on recreating a target website, as phishing usually might, these kits instead take advantage of reverse proxy servers – applications that sit between the internet and the web server in order to help services run smoothly. The process is relatively simple for attackers who know what they're doing, while those who don't can learn from documents and guides on dark web forums.

"The threat actors can just purchase space on a shared hosting server or cloud host and upload the phish kit and reverse proxy infrastructure on their own machines. Or compromise and use that host," Sherrod DeGrippo, VP of threat protection and detection at Proofpoint told ZDNet.

"It takes about an hour to purchase a domain, get a VPS [virtual private server], install the phish kit, web server, reverse proxy, and DNS configurations. By exploiting this situation with phishing kits, attackers can not only steal usernames and passwords, but also session cookies, enabling access to the targeted account," she added

While these particular phishing kits are currently uncommon – even those that have existed in one way or another for years – it's warned that it's likely there will be greater adoption of these techniques as MFA forces cyber criminals to adapt. 
"They are easy to deploy, free to use, and have proven effective at evading detection. The industry needs to prepare to deal with blind spots like these before they can evolve in new unexpected directions," warned researchers.  


Editorial standards