In 2012, a reporter named Mat Honan detailed a series of destructive actions executed by hackers that wiped all data off his laptop, iPhone, resulting in lost all access to his Gmail and Twitter accounts. The hackers’ motivation centered around Mat’s ownership over a short and coveted Twitter handle. By using his Apple ID email address, the last four digits of his credit card, and billing address, Mat lost access to memorable photos and important work. Since then the cybersecurity community has emphasized the importance of multi-factor authentication, and its utility in preventing attacks that Honan suffered from. Despite the widespread use of two-factor authentication (2FA) – seen in most widely used apps – hackers have found ways to circumvent this technology and take over user accounts.

One of the first companies to implement 2FA was Lockheed Martin. Employees used a third-party company to generate the 2FA codes. But in 2011 hackers simply attacked this third-party and obtained the “master key” used to generate the codes. Although the mechanism and architecture of the program was correct, establishing security audits of third-party vendors is critical to maintaining a strong security posture. One of the more modern means of defeating 2FA is not directly attacking a company, but being in the middle between the user and the application they are logging into.

When a user logs into an application and is required to enter their 2FA code, all of this information is being relayed through a number of nodes before reaching the destined application server. If an attacker can place themselves somewhere along this route, then both the credentials and session cookie can be stolen and used to log in as that user. In order to accomplish this the attacker may utilize a reverse proxy to be in the middle of all communications. Some applications use Subresource Integrity (SRI) and Content Security Policy (CSP) to prevent the use of proxying while using the application.

Test your defenses

Recently however, two open source projects named Muraena and Necrobrowser were created to circumvent the proxying restrictions and automate the phishing process. Muraena is a reverse proxy that allows for custom creation of a phishing domain coupled with a legitimate certificate generated using Let’s Encrypt. This proxy takes data between the user and application and extracts the credentials and session token. This token is then passed to Necrobrowser which can use the tokens for the attacker to login. Necrobrowser is a service that can be run out of docker containers and serves as a headless browser. The attacker can then take screenshots of accounts, reset passwords, and add unauthorized forwarding email addresses to an inbox.

Putting the pieces together

One of the best ways to counter a hacker seeking to steal 2FA tokens through a phishing attack is to establish and maintain a phishing awareness program. The entire premise of a phishing attack is predicated on fooling an end-user. If the user is trained on best practices when using email or other forms of online communication then phishing attacks become much more difficult to execute. Packetlabs provides services that include executing phishing campaigns to safely test an employee’s resistance to phishing. For more information regarding phishing campaigns and other specialized pentesting services please contact us.