MFA No Longer an Obstacle for Threat Actors

MFA No Longer an Obstacle for Threat Actors

As employers allow more employees to work from home, safeguarding company networks continues to be a challenge. To mitigate the increased risk from phishing campaigns targeting remote workers, many companies have adopted two-factor authentication (2FA). 2FA may consist of a one-time code sent via SMS or email, a token, or a unique cryptographic key. This adds an extra layer of protection because the threat actor (TA) needs more than just your username and password.

However, hacker tactics are evolving quickly and are now using reverse proxy phish kits to work around 2FA. These kits use a transparent reverse proxy to present the actual website to the victim, keeping the ruse of the legitimate website intact. Another advantage of the reverse proxy is that it allows the threat actor to man-in-the-middle (MitM) a session, capturing credentials and the session cookie to access the account. This technique easily evades detection and has remained a blind spot for industry professionals. Kivu recommends client-side TLS fingerprinting, which may help identify MitM requests so security personnel can take appropriate protective measures.