"You know, we are protected against phishing because we have implemented multi-factor authentication." This phrase, we have heard it too many times.
As you know, at Arsen we are very committed to raising awareness among employees about cybersecurity.
Where a trained and aware employee is an active defense for the company, an untrained person represents a real danger.
Indeed, a user who has not been properly prepared is a weak link that can be exploited and can bypass the tools and technical protections in place.
In this article, I will show you in a video how from a simple phishing email, we can bypass multi-factor authentication, also known as MFA or 2FA.
Demonstration
Principle
A phishing attack using a reverse proxy to bypass two-factor authentication (2FA) exploits a sophisticated method to deceive users and gain access to their accounts by bypassing additional security measures such as 2FA.
Here is how it generally works:
- Creation of a phishing page: Attackers create a malicious web page that perfectly mimics a legitimate login page, such as a banking, email, or social media login page.
- Setting up the reverse proxy: Attackers configure a reverse proxy server that intercepts legitimate login requests from users. When a user enters their login credentials on the phishing page, this information is sent to the reverse proxy server instead of the actual destination server.
- Redirection to the real service: Once the login credentials are captured, the reverse proxy server redirects the login request to the actual online service, such as an online bank or an email platform.
- Capture of the session cookie: Due to the nature of 2FA, the online service sends a verification code to the user's device, often via SMS or an authentication app. In this attack, the reverse proxy server also intercepts this verification code, but more importantly, the session cookie once authentication is validated.
- Access to the account: With the login credentials and the session cookie, attackers can then access the user's account. They use the captured information to log in quickly before the legitimate user realizes what is happening.
By using this method, attackers can bypass 2FA by intercepting sensitive information during the login process and quickly gaining access to the account before the user can take action to secure their account.
This demonstration shows an attack on a LinkedIn account but this can work in many other settings using TOTP like your personal Facebook or Instagram account.
This is why it is crucial for users to be vigilant when verifying login pages and always check the URL and security certificates before providing login credentials.
Conclusion
As you have understood, 2FA is not a miracle solution that will solve all your identification problems.
It is a good practice that allows for better control over identity and will likely deter or prevent certain attacks.
However, a motivated and skilled cybercriminal will be able to bypass this type of protection if your employees are not properly trained and aware.
