Microsoft on Tuesday posted profiled software for sale on online forums that makes it easy for criminals to deploy phishing campaigns that successfully compromise accounts even when protected by the most common form of multi-factor authentication.
The phishing kit is the engine that powers more than 1 million malicious emails every day, according to researchers on the Microsoft Threat Intelligence team. The software, which retails for $300 for a standard version and $1,000 for VIP users, offers a variety of advanced features for streamlining the implementation of phishing campaigns and increasing their chances of evading anti-phishing defenses .
One of the most notable features is the built-in ability to bypass some forms of multi-factor authentication. Also known as MFA, two-factor authentication, or 2FA, this protection requires account holders to prove their identity not only with a password, but also by using something that only belongs to them (such as a security key or authenticator app) or something that only they own (such as a fingerprint or facial scan). MFA has become an important defense against account takeovers because the theft of a password alone is not enough for an attacker to gain control.
MFA’s Achilles’ Heel: TOTPs
The effectiveness of MFA has not gone unnoticed by phishers. Several campaigns that have come to light in recent months have highlighted the vulnerability of MFA systems that use TOTPs, short for time-based one-time passwords, generated by authenticator apps. A campaign discovered by Microsoft targeted more than 10,000 organizations over a 10-month period. The other successfully broke into the network of security firm Twilio. Like the phishing kit Microsoft detailed on Tuesday, the two campaigns above used a technique known as AitM, short for adversary in the middle. It works by placing a phishing site between the targeted user and the site the user is trying to log into. When the user enters the password on the fake site, the fake site forwards it to the real site in real time. If the real site responds with a prompt for a TOTP, the fake site receives the prompt and passes it on to the target, also in real time. When the target enters the TOTP on the fake site, the fake site sends it to the real site.
To ensure that the TOTP is entered within the time limit (usually around 30 seconds), the phishers use bots based on Telegram or other real-time messengers that automatically enter credentials quickly. Once the process is complete, the real site sends an authentication cookie to the fake site. With that, the phishers have everything they need to take over the account.
Last May, a crime group that followed Microsoft when DEV-1101 began advertising a phishing kit that not only beats MFA based on one-time passwords, but also other automated defenses that are widely used. One feature inserts a CAPTCHA into the process to ensure that human-operated browsers can access the final phishing page, but automated defenses cannot. Another feature briefly redirects the target’s browser from the initial link in the phishing email to a benign site before arriving at the phishing site. The redirect helps to bypass block lists of known malicious URLs.
Ads that began appearing last May described the kit as a phishing application written in NodeJS that provides PHP reverse proxy capabilities for bypassing MFA and CAPTCHA and redirects for bypassing other defenses. The ads promote other capabilities such as automated installation and a wide variety of pre-installed templates to mimic services such as Microsoft Office or Outlook.
“These features make the kit attractive to many different actors who have used it continuously since it became available in May 2022,” Microsoft researchers wrote. “Actors using this kit have different motivations and audiences and can target any industry or sector.”
The post went on to list several measures customers can use to counter the kit’s evasion capabilities, including Windows Defender and anti-phishing solutions. Unfortunately, the post glossed over the most effective measure, which is MFA based on the industry standard known as FIDO2. To date, no credential phishing attacks have been reported to defeat FIDO2, making it one of the most effective barriers to account takeovers.
See previous coverage here, here and here for more information on FIDO2-compliant MFA.
The phishing attack that broke Twilio’s network worked because one of the targeted employees entered an authenticator-generated TOTP into the attacker’s fake login site. The same campaign failed against content delivery network Cloudflare because the company used FIDO2-based MFA.