by 
Getty Images
Microsoft on Tuesday offered profiled software for sale on online forums that makes it easy for criminals to deploy phishing campaigns that successfully compromise accounts even when protected by the most common form of multi-factor authentication.
The phishing kit is the engine that powers more than 1 million malicious emails every day, researchers from the Microsoft Threat Intelligence team said. The software, which retails for $300 for a standard version and $1,000 for VIP users, offers a variety of advanced features to streamline the delivery of phishing campaigns and increase their chances of getting anti-phishing bypass protective measures.
One of the most notable features is the built-in ability to bypass some forms of multi-factor authentication. Also known as MFA, two-factor authentication, or 2FA, this protection requires account holders to not only prove their identity with a password, but also to use something only they have (such as a security key or an authenticator app) or something just them (e.g. fingerprint or face scan). MFA has become an important defense against account takeovers, as stealing a password alone is not enough for an attacker to gain control.
MFA’s Achilles Heel: TOTPs
The effectiveness of MFA has not gone unnoticed by phishers. Several campaigns that have surfaced in recent months have underscored the vulnerability of MFA systems that use TOTPs, short for time-based one-time passwords generated by authentication apps. A campaign uncovered by Microsoft targeted more than 10,000 organizations over a 10-month period. The other successfully penetrated the network of the security company Twilio. Like the phishing kit Microsoft detailed Tuesday, the above two campaigns used a technique known as AitM, short for “attacker in the middle.” It works by placing a phishing site between the targeted user and the site the user is trying to log into. When the user enters the password on the fake website, the fake website redirects it to the real website in real time. If the real side responds with a request for a TOTP, the fake side receives the request and also redirects it back to the destination in real time. When the target enters the TOTP on the fake website, the fake website sends it to the real website.
Microsoft
To ensure that the TOTP is entered within the time limit (usually around 30 seconds), the phisher bots based on Telegram or other real-time messengers use the credentials to be entered quickly automatically. Once the process is complete, the real website sends an authentication cookie to the fake website. This gives the phishers everything they need to take over the account.
Last May, a criminal group tracking Microsoft as DEV-1101 began promoting a phishing kit that defeats not only one-time password-based MFA, but other automated defense mechanisms that are in widespread use. One feature inserts a CAPTCHA into the process to ensure human-powered browsers can access the final phishing page, but automated defenses cannot. Another feature briefly redirects the target’s browser from the initial link contained in the phishing email to a harmless website before reaching the phishing website. The redirect helps bypass block lists of known malicious URLs.
Ads that surfaced last May described the kit as a phishing application written in NodeJS that offers PHP reverse proxy capabilities to bypass MFA and CAPTCHA and redirects to bypass other defenses. The ads advertise other features, such as B. an automated setup and a wide range of pre-installed templates to mimic services such as Microsoft Office or Outlook.
“These attributes make the kit attractive to a wide range of actors who have been using it continuously since it became available in May 2022,” Microsoft researchers wrote. “Stakeholders using this kit have different motivations and goals and can target any industry or sector.”
The post also lists several countermeasures customers can take to counter the kit’s bypass capabilities, including Windows Defender and anti-phishing solutions. Unfortunately, the post glossed over the most effective measure, namely MFA, which is based on the industry standard FIDO2. So far, there have been no known credential phishing attacks that defeat FIDO2, making it one of the most effective barriers to account takeovers.
For more information on FIDO2-compliant MFA, see previous coverage here, here, and here.
The phishing attack that breached Twilio’s network worked because one of the affected employees entered an authenticator-generated TOTP into the attacker’s fake login page. The same campaign failed against content delivery network Cloudflare because the company used FIDO2-based MFA.
