Muraena and NecroBrowser Prove That Automated Phishing Attacks Can Bypass Two-Factor Authentication
Our infinite dependence on passwords is one of the reasons researchers are looking for new methods to ensure cybersecurity. Multi-factor authentication or two-factor authentication is one of those security features that put up a strong additional layer of security to our personal data. Although it is not perfect, it makes it harder for hackers to access sensitive information.
However, researchers Michele Orru and Giuseppe Trotta have recently proven that it is possible to bypass two-factor authentication with a phishing attack. Although it requires certain tools to achieve that, it clearly shows that relying on one single method of authentication is not enough to ensure your personal data security.
Table of Contents
What Is Two-Factor Authentication
Before we get down into details, we should tell you shortly about two-factor authentication, and why it is the preferred method of identity authentication. The point behind two-factor authentication is that it uses unique security tokens that only the user who is trying to access a particular account is supposed to have. Also, those tokens are usually one-time passwords that expire quite soon.
Usually, these tokens are temporary codes that users receive into their emails or mobile phones. These codes protect users and their data from traditional phishing attacks because it is not possible to intercept them. Or so we thought until a month ago.
Two-Factor Authentication Vulnerability
Before we get down to it, please be aware that there is no need to panic, as these two-factor authentication vulnerabilities were unearthed by security researches. We could say that this research was similar to the one we have described earlier in our post on hacking tools: Researchers were looking for ways to make the authentication process stronger by indicating its vulnerabilities.
So, how to bypass two-factor authentication? For a phishing attack to be successful, the usual phishing websites need to function as proxies. It means that they have to work as a connection between the victim and the original website that issues the two-factor authentication code. This connection has to be instantaneous so that the criminals could acquire the temporary session cookies that would allow them to access target accounts.
Researchers say that this technique is not something unheard of. The idea has been there for quite a while; it’s just that there was no technology that would have helped with it. Not to mention that the reverse-proxy feature doesn’t work on websites that employ Subresource Integrity (SRI) and Content Security Policy (CSP), which essentially block proxies.
This is where Muraena and NecroBrowser, developed by researchers Orru and Trotta, come into the picture. If there is anyone wondering how to bypass two-factor authentication, these tools can help them do it. And once it is done, it is possible to launch a successful phishing attack.
Muraena & NecroBrowser
Although the tech-speak associated with these tools may not say much to an average user, we feel it is important to discuss both tools a little bit, as they are a good example of what can be developed to improve phishing attacks.
NecroBrowser is a tool that can be used in post-phishing automation. It is a microservice that allows one to specify a target portal. In other words, it helps to hijack the legitimate authentication session, and when the attackers feed sessions that are harvested during phishing campaigns, the service is supposed to perform actions on the victim’s behalf. Depending on what the tool is supposed to do, it can perform automated password resets, extrude information, impersonate users, backdoor accounts with new keys, and so on.
Muraena, on the other hand, is a reverse proxy that is written in the Go programming language. This proxy is supposed to automate phishing attacks and other post-phishing activities. This tool allows the attackers to obtain legitimate certificates for their domains, thus making it harder to notice a phishing website. Also, the proxy works as a crawler that checks all the resources and automatically decides which one it can proxy. So when it receives requests from victims, the proxy rewrites them and passes them on, virtually allowing the attackers to take over the information that travels through it.
Both, Muraena and NecroBrowser turn the browser into a zombie, and the actions performed can be totally automated. Let’s not forget that attackers might also program the tools to perform a variety of actions. It wouldn’t be surprising if they could take screenshots of emails or add rogue addresses to mailboxes. This would only ensure that phishing attacks spread further. If these tools or anything like them fall into the wrong hands, there could be an onslaught of dangerous phishing attacks in the future.
What Can Users Do?
Security specialists are unanimous in that there is no one permanent solution to this issue. Since Muraena and NecroBrowser were created to point out the two-factor authentication vulnerabilities, they only showed that users shouldn’t keep all of their eggs in one basket, so to speak.
Although two-factor authentication is definitely a step forward, you should use it together with other methods that improve your cybersecurity. When it comes to passwords, you might want to employ a password manager that would store and generate your passwords. Some also suggest using USB hardware tokens for two-factor authentication instead of one-time passwords, but the USB solution also isn’t bulletproof because the attackers can simply program their tools to refuse the USB token authentication, thus issuing the temporary code request. So, we have to remember that there is always a way to bypass two-factor authentication somehow.
Also, it is vitally important to remain vigilant and be wary of the phishing messages that are trying to push you into authenticating your identities. If you land on the authentication website through a link in your email, be sure that you are definitely there on the correct website, and that the domain name is legitimate. When in doubt, you can always check if there is the TLS or SLL indicator (like the GlobalSign lock icon). The absence of these indicators is the first sign that the website you are on is probably malicious. It is never too late to backpedal if you haven’t yet entered your personal information, so be careful and responsible about the data you share online.