• Skip to main content
  • Skip to header right navigation
  • Skip to site footer
Restore Privacy

Restore Privacy

Resources to stay safe and secure online

  • News
  • Tools
    • Secure Browser
    • VPN
    • Ad Blocker
    • Secure Email
    • Private Search Engine
    • Data Removal
      • Incogni Review
    • Password Manager
    • Secure Messaging App
    • Tor
    • Identity Theft Protection
    • Unblock Websites
    • Privacy Tools
  • Email
    • Secure Email
    • ProtonMail Review
    • Tutanota Review
    • Mailfence Review
    • Mailbox.org Review
    • Hushmail Review
    • Posteo Review
    • Fastmail Review
    • Runbox Review
    • CTemplar Review
    • Temporary Disposable Email
    • Encrypted Email
    • Alternatives to Gmail
  • VPN
    • What is VPN
    • VPN Reviews
      • NordVPN Review
      • Surfshark VPN Review
      • VyprVPN Review
      • Perfect Privacy Review
      • ExpressVPN Review
      • CyberGhost Review
      • AVG VPN Review
      • IPVanish Review
      • Hotspot Shield VPN Review
      • ProtonVPN Review
      • Atlas VPN Review
      • Private Internet Access Review
      • Avast VPN Review
      • TorGuard Review
      • PrivadoVPN Review
    • VPN Comparison
      • NordVPN vs ExpressVPN
      • NordVPN vs PIA
      • IPVanish vs ExpressVPN
      • CyberGhost vs NordVPN
      • Surfshark vs NordVPN
      • IPVanish vs NordVPN
      • ExpressVPN vs PIA
      • VyprVPN vs NordVPN
      • CyberGhost vs ExpressVPN
      • NordVPN vs HideMyAss
      • ExpressVPN vs ProtonVPN
      • Atlas VPN vs NordVPN
      • ExpressVPN vs Surfshark
      • NordVPN vs Proton VPN
      • Surfshark vs CyberGhost
      • Surfshark vs IPVanish
    • Best VPNs
      • Best VPN for Torrenting
      • Best VPN for Netflix
      • Best Free VPN
      • VPN for Firestick TV
      • Best VPN for Android
      • Best VPN for Gaming
      • Best VPN for PC
      • Best VPN for Disney Plus
      • Best VPN for Hulu
      • Best VPN for Mac
      • Best VPN for Streaming
      • Best VPN for Windows
      • Best VPN for iPhone
    • VPN Coupons
      • ExpressVPN Coupon
      • NordVPN Coupon
      • Cyber Monday VPN Deals
      • NordVPN Cyber Monday
      • Surfshark VPN Cyber Monday
      • ExpressVPN Cyber Monday
    • VPN Guides
      • Free Trial VPN
      • Cheap VPNs
      • Static IP VPN
      • VPN Ad Blocking
      • No Logs VPN
      • Best VPN Chrome
      • Best VPN Reddit
      • Split Tunneling VPN
      • VPN for Binance
      • WireGuard VPN
      • VPN for Amazon Prime
      • VPN for Linux
      • VPN for iPad
      • VPN for Firefox
      • VPN for BBC iPlayer
    • By Country
      • Best VPN Canada
      • Best VPN USA
      • Best VPN UK
      • Best VPN Australia
      • VPN for Russia
    • VPN Router
  • Password
    • Best Password Managers
    • Comparisons
      • NordPass vs 1Password
      • 1Password vs LastPass
      • NordPass vs LastPass
      • RoboForm vs NordPass
      • 1Password vs Bitwarden
      • Dashlane vs NordPass
      • 1Password vs Dashlane
      • NordPass vs Bitwarden
    • KeePass Review
    • NordPass Review
    • 1Password Review
    • Dashlane Review
    • RoboForm Review
    • LastPass Review
    • Bitwarden Review
    • Strong Password
  • Storage
    • Best Cloud Storage
    • pCloud Review
    • Nextcloud Review
    • IDrive Review
    • SpiderOak Review
    • Sync.com Review
    • MEGA Cloud Review
    • NordLocker Review
    • Tresorit Review
    • Google Drive Alternatives
  • Messenger
    • Secure Messaging Apps
    • Signal Review
    • Telegram Review
    • Wire Review
    • Threema Review
    • Session Review
  • Info
    • Mission
    • Press
    • Contact
  • News
  • Tools
    • Secure Browser
    • VPN
    • Ad Blocker
    • Secure Email
    • Private Search Engine
    • Data Removal
      • Incogni Review
    • Password Manager
    • Secure Messaging App
    • Tor
    • Identity Theft Protection
    • Unblock Websites
    • Privacy Tools
  • Email
    • Secure Email
    • ProtonMail Review
    • Tutanota Review
    • Mailfence Review
    • Mailbox.org Review
    • Hushmail Review
    • Posteo Review
    • Fastmail Review
    • Runbox Review
    • CTemplar Review
    • Temporary Disposable Email
    • Encrypted Email
    • Alternatives to Gmail
  • VPN
    • What is VPN
    • VPN Reviews
      • NordVPN Review
      • Surfshark VPN Review
      • VyprVPN Review
      • Perfect Privacy Review
      • ExpressVPN Review
      • CyberGhost Review
      • AVG VPN Review
      • IPVanish Review
      • Hotspot Shield VPN Review
      • ProtonVPN Review
      • Atlas VPN Review
      • Private Internet Access Review
      • Avast VPN Review
      • TorGuard Review
      • PrivadoVPN Review
    • VPN Comparison
      • NordVPN vs ExpressVPN
      • NordVPN vs PIA
      • IPVanish vs ExpressVPN
      • CyberGhost vs NordVPN
      • Surfshark vs NordVPN
      • IPVanish vs NordVPN
      • ExpressVPN vs PIA
      • VyprVPN vs NordVPN
      • CyberGhost vs ExpressVPN
      • NordVPN vs HideMyAss
      • ExpressVPN vs ProtonVPN
      • Atlas VPN vs NordVPN
      • ExpressVPN vs Surfshark
      • NordVPN vs Proton VPN
      • Surfshark vs CyberGhost
      • Surfshark vs IPVanish
    • Best VPNs
      • Best VPN for Torrenting
      • Best VPN for Netflix
      • Best Free VPN
      • VPN for Firestick TV
      • Best VPN for Android
      • Best VPN for Gaming
      • Best VPN for PC
      • Best VPN for Disney Plus
      • Best VPN for Hulu
      • Best VPN for Mac
      • Best VPN for Streaming
      • Best VPN for Windows
      • Best VPN for iPhone
    • VPN Coupons
      • ExpressVPN Coupon
      • NordVPN Coupon
      • Cyber Monday VPN Deals
      • NordVPN Cyber Monday
      • Surfshark VPN Cyber Monday
      • ExpressVPN Cyber Monday
    • VPN Guides
      • Free Trial VPN
      • Cheap VPNs
      • Static IP VPN
      • VPN Ad Blocking
      • No Logs VPN
      • Best VPN Chrome
      • Best VPN Reddit
      • Split Tunneling VPN
      • VPN for Binance
      • WireGuard VPN
      • VPN for Amazon Prime
      • VPN for Linux
      • VPN for iPad
      • VPN for Firefox
      • VPN for BBC iPlayer
    • By Country
      • Best VPN Canada
      • Best VPN USA
      • Best VPN UK
      • Best VPN Australia
      • VPN for Russia
    • VPN Router
  • Password
    • Best Password Managers
    • Comparisons
      • NordPass vs 1Password
      • 1Password vs LastPass
      • NordPass vs LastPass
      • RoboForm vs NordPass
      • 1Password vs Bitwarden
      • Dashlane vs NordPass
      • 1Password vs Dashlane
      • NordPass vs Bitwarden
    • KeePass Review
    • NordPass Review
    • 1Password Review
    • Dashlane Review
    • RoboForm Review
    • LastPass Review
    • Bitwarden Review
    • Strong Password
  • Storage
    • Best Cloud Storage
    • pCloud Review
    • Nextcloud Review
    • IDrive Review
    • SpiderOak Review
    • Sync.com Review
    • MEGA Cloud Review
    • NordLocker Review
    • Tresorit Review
    • Google Drive Alternatives
  • Messenger
    • Secure Messaging Apps
    • Signal Review
    • Telegram Review
    • Wire Review
    • Threema Review
    • Session Review
  • Info
    • Mission
    • Press
    • Contact

Phishing Attacks that Bypass 2FA Protection Are on the Rise

December 23, 2022 By Heinrich Long — 4 Comments
Phishing Attacks that Bypass 2FA

The adoption of two-factor authentication (2FA) as an account protection method pushes phishing actors to turn to reverse-proxy solutions that are becoming increasingly popular.

According to a report from Unit 42 of Palo Alto Networks, these attacks, otherwise called ‘meddler in the middle,’ are effective enough to get around existing defenses and break down the brittle wall of perceived security.

The increased demand for reverse-proxy services that help phishing actors snatch two-factor authentication codes from their victims has resulted in the opening of two new platforms in 2022, assisting the technique to proliferate further.

How MitM Attacks Work

In traditional phishing attacks, the victim is lured into entering their credentials (username/email + password) on a phishing site. Then the threat actors may use the stolen pairs to log in to the victim’s account.

If two-factor authentication is active on the account, the account owner will receive a one-time password (OTP) on their mobile via SMS or email. In other cases, authentication apps are used, which generate OTPs periodically for this purpose.

Whatever the method, the 2FA step would block account takeover attacks as the threat actors wouldn’t have a way to guess the correct OTP.

This problem is solved by reverse proxy services such as Elivginx2, Modlishka, Muraena, EvilnoVNC, and EvilProxy. The last two were launched in 2022, offering more advanced features and user-friendly GUI-based environments.

Currently available reverse-proxying phishing tools
Unit42

The platforms help phishing actors forward login requests to the actual services, relay 2FA requests back to the victims, and then forward the codes to the server, all happening using a reverse proxy.

A reverse proxy is a server that acts as an intermediary between Internet users and web servers located behind a firewall. It receives requests from Internet users and forwards them to the appropriate servers, then returns the servers’ responses to the users. This setup allows web servers to serve requests without being directly exposed to the Internet.

The trick is that the phishing actor sits in the middle of this information exchange, snatching the authorization cookie the real service server generates once the correct 2FA code is provided.

MitM attack diagram
Unit42

In summary, it’s like facilitating the complete login process for the victim on the real service, logging them in and stealing their session while keeping the victim on the fake site the whole time.

Recent Campaigns

Unit42’s report highlights three recent cases of MitM campaigns targeting valuable accounts using reverse proxy services.

The first case was reported by Microsoft in July 2022, where the threat actors used Evilginx2 to steal Microsoft accounts after they lured targets with fake notices via email.

Unit42 spotted a similar campaign in recent weeks, which appears to be targeting Microsoft 365 accounts.

Phishing page from recent campaign targeting MS365 accounts
Unit42

In September 2022, threat actors set up a MitM attack targeting CircleCI users and their GitHub credentials using a clone site that looked exactly like the real one.

“For targets with OTP-based 2FA set up, the MitM server also prompted them to enter the OTP, which was then forwarded to GitHub, allowing for a successful login,” reads the Unit42 report.

“From there, attackers would persist in their access by quickly creating personal access tokens (PATs) or adding their own SSH keys to the victim’s account.”

Phishing page used in the CicleCI campaign
Unit42

Most recently, in November 2022, Dropbox disclosed it had fallen victim to a sophisticated MitM attack that resulted in the breach of 130 private repositories.

This incident convinced Dropbox it was time to abandon the 2FA account protection scheme for more robust, WebAuthn-based schemes.

How to Defend

Unfortunately, there’s not much users can do to protect their accounts against MitM attacks besides being very cautious when requested to enter credentials and double-checking the URL of the site they’re on.

User authentication servers could identify and filter out malicious forwarding requests only by implementing TLS fingerprinting on the client side, but the industry is quite far from that stage at the moment.

Currently, the only widely employed defense against these attacks is to use IP-based blocklists refreshed daily, which is obviously not good enough.

Related Articles:

  • How to Use Two-Factor Authentication (2FA)
  • Abuse of IPFS to Host Malware and Phishing Kits on the Rise
  • Uber Suffers New Data Leak After Third-Party Vendor Gets Hacked

About Heinrich Long

Heinrich is an associate editor for RestorePrivacy and veteran expert in the digital privacy field. He was born in a small town in the Midwest (USA) before setting sail for offshore destinations. Although he long chafed at the global loss of online privacy, after Edward Snowden’s revelations in 2013, Heinrich realized it was time to join the good fight for digital privacy rights. Heinrich enjoys traveling the world, while also keeping his location and digital tracks covered.

Reader Interactions

Comments

  1. Ayumu Uehara

    January 10, 2023

    Some tips to prevent phishing MITM attacks:
    1. Ad blocker like AdNauseam or Ublock Origin has a function to block phishing sites. Go to settings > Filter list > Malware > Check phishing URL blocklist.

    2.. You can use Yubikey if you can.
    https://www.yubico.com/phishing-attacks-are-getting-smarter/

    3. You can check for phishing sites on checkphish.ai. .

    4. Browser extensions like Bitwarden extension or KeepassXC extension can check whether that site is real or not. This works because the browser extension won’t autofill the password unless you’re on the correct website.

    Reply
  2. ASK

    January 1, 2023

    I have found 2FA is more hassle than it’s worth. One could be subject to mobile (network) outages and more preventing accessing their own account. Rarely does a website have more than one method of 2FA eg. SMS. email, landline, etc.

    If someone is determined to hack your account, there’s very little you can do…unless perhaps you pay for a special service. I’m not convinced a DNS service is the solution like some people who believe they know “it all”. Besides, why should I pay be secure? That [should be] he role of the website admin.

    Reply
  3. Marc

    December 25, 2022

    I thought Cloudfare(1.1.1.1) was one of the best Secure DNS for browsing. I have all my browsers set to use it.

    Is Quad9 or NextDNS better or in the same category?

    Sven, you should do an article on this topic. Thanks.

    Reply
  4. Bronco

    December 24, 2022

    That’s why a good DNS service, which protects from such attacks, is mandatory. For good security and privacy on DNS level you can try Quad9 or NextDNS.

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Sidebar

Digital Privacy Essentials:
Secure Browsers
Private Search Engines
Secure Email
Best Password Managers
Secure Messaging Services
Best Ad Blockers
Best VPN Services
Secure Cloud Storage

Privacy & Security Guides:
Privacy Tools
Alternatives to Google Products
Firefox Privacy Modifications
Five Eyes, 9 Eyes, 14 Eyes Spying
Browser Fingerprinting
Is Tor Safe?
Alternatives to Gmail
VPN vs Tor
Alternatives to WhatsApp
Is Your Antivirus Spying on You?
Controlling Communication Channels is Crucial for Privacy
Anonymity Networks: VPNs, Tor, and I2P
How to Really Be Anonymous Online
Private and Anonymous Payments

Secure Email Reviews:
ProtonMail Review
Tutanota Review
Mailfence Review
Mailbox.org Review
Hushmail Review
Posteo Review
Fastmail Review
Runbox Review
CTemplar Review
Temporary Email Services
Encrypted Email

Password Manager Reviews:
Bitwarden Review
LastPass Review
KeePass Review
NordPass Review
Dashlane Review
1Password Review
Best Password Managers

Secure Messaging App Reviews:
Wire Review
Signal Review
Threema Review
Telegram Review
Session Review
Wickr Review

Secure Cloud Storage Reviews
Tresorit Review
MEGA Cloud Review
Sync.com Review
Nextcloud Review
IDrive Review
pCloud Review
SpiderOak Review
NordLocker Review

How To Guides
How to Encrypt Files on Windows
How to Encrypt Email
How to Configure Windows 10 for Privacy
How to use Two-Factor Authentication (2FA)
How to Secure Your Android Device for Privacy
How to Secure Your Home Network
How to Protect Yourself Against Identity Theft
How to Unblock Websites
How to Fix WebRTC Leaks
How to Test Your VPN
How to Hide Your IP Address
How to Create Strong Passwords
How to Really Be Anonymous Online

About RestorePrivacy

Contact

Restore Privacy Checklist

  1. Secure browser: Modified Firefox or Brave
  2. VPN: NordVPN (68% Off Coupon) or Surfshark
  3. Ad blocker: uBlock Origin or AdGuard
  4. Secure email: Mailfence or Tutanota
  5. Secure Messenger: Signal or Threema
  6. Private search engine: MetaGer or Brave
  7. Password manager: NordPass or Bitwarden

About

Restore Privacy is a digital privacy advocacy group committed to helping people stay safe and secure online. You can support this project through donations, purchasing items through our links (we may earn a commission at no extra cost to you), and sharing this information with others. See our mission here.

We’re available for Press and media inquiries here.

Restore Privacy is also on Twitter

COPYRIGHT © 2023 RESTORE PRIVACY, LLC · PRIVACY POLICY · TERMS OF USE · CONTACT · SITEMAP