The adoption of two-factor authentication (2FA) as an account protection method pushes phishing actors to turn to reverse-proxy solutions that are becoming increasingly popular.
According to a report from Unit 42 of Palo Alto Networks, these attacks, otherwise called ‘meddler in the middle,’ are effective enough to get around existing defenses and break down the brittle wall of perceived security.
The increased demand for reverse-proxy services that help phishing actors snatch two-factor authentication codes from their victims has resulted in the opening of two new platforms in 2022, assisting the technique to proliferate further.
How MitM Attacks Work
In traditional phishing attacks, the victim is lured into entering their credentials (username/email + password) on a phishing site. Then the threat actors may use the stolen pairs to log in to the victim’s account.
If two-factor authentication is active on the account, the account owner will receive a one-time password (OTP) on their mobile via SMS or email. In other cases, authentication apps are used, which generate OTPs periodically for this purpose.
Whatever the method, the 2FA step would block account takeover attacks as the threat actors wouldn’t have a way to guess the correct OTP.
This problem is solved by reverse proxy services such as Elivginx2, Modlishka, Muraena, EvilnoVNC, and EvilProxy. The last two were launched in 2022, offering more advanced features and user-friendly GUI-based environments.
The platforms help phishing actors forward login requests to the actual services, relay 2FA requests back to the victims, and then forward the codes to the server, all happening using a reverse proxy.
A reverse proxy is a server that acts as an intermediary between Internet users and web servers located behind a firewall. It receives requests from Internet users and forwards them to the appropriate servers, then returns the servers’ responses to the users. This setup allows web servers to serve requests without being directly exposed to the Internet.
The trick is that the phishing actor sits in the middle of this information exchange, snatching the authorization cookie the real service server generates once the correct 2FA code is provided.
In summary, it’s like facilitating the complete login process for the victim on the real service, logging them in and stealing their session while keeping the victim on the fake site the whole time.
Unit42’s report highlights three recent cases of MitM campaigns targeting valuable accounts using reverse proxy services.
The first case was reported by Microsoft in July 2022, where the threat actors used Evilginx2 to steal Microsoft accounts after they lured targets with fake notices via email.
Unit42 spotted a similar campaign in recent weeks, which appears to be targeting Microsoft 365 accounts.
In September 2022, threat actors set up a MitM attack targeting CircleCI users and their GitHub credentials using a clone site that looked exactly like the real one.
“For targets with OTP-based 2FA set up, the MitM server also prompted them to enter the OTP, which was then forwarded to GitHub, allowing for a successful login,” reads the Unit42 report.
“From there, attackers would persist in their access by quickly creating personal access tokens (PATs) or adding their own SSH keys to the victim’s account.”
Most recently, in November 2022, Dropbox disclosed it had fallen victim to a sophisticated MitM attack that resulted in the breach of 130 private repositories.
This incident convinced Dropbox it was time to abandon the 2FA account protection scheme for more robust, WebAuthn-based schemes.
How to Defend
Unfortunately, there’s not much users can do to protect their accounts against MitM attacks besides being very cautious when requested to enter credentials and double-checking the URL of the site they’re on.
User authentication servers could identify and filter out malicious forwarding requests only by implementing TLS fingerprinting on the client side, but the industry is quite far from that stage at the moment.
Currently, the only widely employed defense against these attacks is to use IP-based blocklists refreshed daily, which is obviously not good enough.