Hackers Hijack Email Accounts During Login
Sophisticated Phishing Tools Bypass 2FA Authentication
With companies rapidly adopting multi-factor authentication measures, just stealing a user’s credentials is not enough nowadays. That’s why hackers are circumventing MFA with tools such as Evilginx2, Muraena, and Modilshka to carry out their phishing scams.
They use reverse proxies that serve as mediums between the victim and the email provider’s server, these are called “AiTM” (adversary in the middle). The moment the email server requests the MFA code during the login process, the phishing kit directs the victim to a false page that looks identical to the legitimate login page. Then, the unwitting victim enters the OTP into the phishing box, sealing their account’s fate.
The information is then sent to the hackers instead of the email service allowing the hacker to access the stolen account.
The fishing poxy in the middle of this exchange can also steal the resulting authentication cookies, allowing them to log in and bypass MFA for that specific account by reusing these specific cookies.
“Beautiful Soup” Delivers
Following the latest phishing campaign on Microsoft, one trade that helped these hackers stand out from the rest is the use of a custom proxy-esque phishing kit with an unusual feature of using the “Beautiful Soup” HTML and XML parsing tool.
This tool enabled the Phishing kits to easily modify the normal, legitimate login page derived from corporate logins, to incorporate the elements used in this phishing scam. The tool also has the added benefit of enhancing the HTML in the process making the exchange extremely smooth and stealing the victims’ information in one fell swoop.
However, this kit isn’t entirely bulletproof. Analyst companies such as Zscaler have already discovered URL leaks in the request sent to the Microsoft server. These could ultimately lead to detection on the hacker’s end.
Zscaler also went on to create a test instance to allow the hacker to roam in order to monitor their post-compromise activity. Roughly eight minutes after the compromise, the hacker logged into the account; showing a particular pattern of hacking, waiting, and entering in the monitored phishing cases.
