Phishing Attack Bypassing MFA

Multi-Factor Authentication will soon be useless

Multi-Factor Authentication (MFA) is a security measure that requires two or more proofs of identity to grant you access. For example, in addition to providing your password, you need a one-time password (OTP) sent as an email, text message or an authenticator app. On some websites, it can be an approval prompt sent to a smartphone app after you enter your password.

The conventional wisdom is that MFA will increase your security. But unfortunately, this conventional wisdom will soon be inadequate.

Make no mistake, MFA will soon no longer protect you from phishing attacks. A new class of phishing technology will be able to bypass MFA.

To understand why, let’s take a brief look at the history of phishing. In the past, phishing attacks were just a means for hackers to harvest your password. After stealing your password, the hacker then attempted to log into the real website using your stolen credential. If you had MFA set up, this would stop the hacker. Basically, there was a time lag between when your password was stolen and when the hacker used it to log into your account.

Today, hackers have grown a lot more sophisticated- there is no such time lag. First, when you visit the phishing website, it will retrieve the content from the real website and relay it back to you. When you enter your password on the phishing website, it will use it to log into your account on the real website simultaneously. What if the real website asks for your MFA? The phishing website will then relay the MFA request from the real website back to you in real-time! Then when you provide the answer to the MFA request (e.g. OTP) to the phishing website, it will relay what you provided back to the real website in real-time. In other words, the phishing website now functions as a real-time intermediary between you and the real website.

Let’s call this phishing real-time intermediary a “phishing proxy”.

In the past, implementing a phishing proxy requires sophisticated technical knowledge. Not every cybercriminal knows how to do that. The bar was very high. As a result, phishing proxy attack was not common. Because it is uncommon, MFA was an adequate cybersecurity measure to protect most people most of the time.

Today, this is no longer the case. The latest research on cybercrime intelligence by Resecurity shows that the technical bar is now considerably lowered for cyber-criminals. In the cybercrime underworld, sophisticated hackers are selling phishing proxy technology to cyber-criminals as a subscription ‘service’! This video from Resecurity shows a ‘sales’ demo from the hackers for this subscription ‘service’ called “EvilProxy”:

What is the implication of the EvilProxy service?

Now, thanks to EvilProxy subscription ‘service’, any cyber-criminals without deep technical knowledge can easily conduct sophisticated phishing proxy attacks. Because it is so easy, phishing attacks that can bypass MFA is going to proliferate. That means MFA is going to be increasingly useless.

Since a lot of people have the outdated idea that MFA will protect them from phishing attacks, they are going to be complacent and become victims.

How can you protect yourself from phishing proxy attacks?

One way to protect yourself is to rely on visual inspection of the web browser’s address bar. But this way is increasingly risky because hackers now have sophisticated tricks to fool the human eye. Here are the tricks that I have listed.

Other than visually inspecting the web domain on the web browser’s address bar, there are only a few authentication technologies that can protect you from sophisticated phishing proxy attacks.

Here are the ones you can use:

Subscribe to continue reading

Become a paid subscriber to get access to the rest of this post and other exclusive content.