Phishing attacks are perhaps the most common method attackers use to gain access to a target network. It is so common that many companies employ outside companies to generate test phishing campaigns in order to train employees on what to look out for. Even with these types of trainings many employees continue to type their credentials into pages designed specifically to steal them. Implementing 2 factor authentication mitigates a lot of risk because login credentials became useless to an attacker without the time based one time use code 2 factor authentication provides.
In order to defeat 2 factor authentication attackers shifted their methods from collecting credentials to collecting session tokens. This makes the attack more complicated because instead of just setting up a fake login page that saves credentials and forwards the user like nothing happened they have to proxy the traffic in real-time in order to make the user type in their one time code. One time codes aren’t able to be used again however, making storing the captured information for later useless. Instead the attacker must capture the session token given out by the server on a successful login and use it in their own browser to gain access to the target system. While this attack was always possible a recently released toolkit makes it much easier.
Last month at the Hack in a Box conference in Amsterdam researchers presented a toolkit that automates phishing when 2 factor authentication is involved. The toolkit is comprised of 2 parts that work together to automate the attack. The first is Muraena, a minimal configuration proxy designed to middleman the user and the target login page. It supports automatic resource rewriting so that the attacker doesn’t need to spend much time customizing each specific phish page. More advanced configuration options are available too, for sites which employ advanced anti-phishing defenses. The second part of the toolkit is NecroBrowser, an API controlled headless Chrome browser instance that is designed to utilize the session token stolen by Muraena. It is designed to be setup in an automated fashion so that it can immediately perform tasks on behalf of the attacker during a successful attack.
Currently there are very few solutions to successfully mitigate a well run attack with this toolkit . Utilizing Universal 2nd Factor authentication instead of traditional 2 factor services is the most successful way to prevent this attack as it completely prevents it from working. It is also important to continue training employees about the ever evolving attack landscape so that they can successfully identify and avoid these attacks.