Now hackers can automate phishing attacks while bypassing two-factor authentication (2FA) without detection using the new tools Muraena and NecroBrowser . This means that organizations need to upgrade their anti-phishing protection and training to defend themselves against this threat.
The Muraena and NecroBrowser toolkit was developed by researchers Michele Orru and Guiseppe Trotta to show that current techniques to combat phishing attacks such as Subresource Integrity (SRI), Content Security Policy (CSP), and 2FA are not invincible and their compromise can be automated.
The proxy-based attack strategy that Muraena and NecroBrowser deploy has been known for a while but it once needed deep technical knowledge and the configuration of many independent tools to achieve.
It also required a hacker to manually abuse stolen cookie sessions before they expired. Muraena and NecroBrowser can defeat the 2FA protections and automate most of the phishing process, allowing phishing attacks to be easily implemented by more hackers.
Traditional phishing attacks depend on fake login pages hosted on hacker-controlled web servers that are served from custom domains with similar names to targeted websites. These static attacks fail against two-factor authentication because they don’t interact with legitimate websites to generate one-time-use codes. Without these codes, attackers can’t log in with the phished credentials.
To bypass 2FA, phishing websites need to function as proxies that forward requests to legitimate websites to deliver back a response. This allows the hacker to obtain usernames, passwords, and session cookies to access accounts without the need to authenticate.
Some 2FA implementations that use USB hardware tokens with support for the Universal 2nd Factor (U2F) standard can defeat proxy-based phishing. These tokens establish a cryptographically verified connection through the browser to a legitimate website without traveling through the hacker’s reverse-proxy.
2FA solutions that are based on codes received over SMS or mobile authenticator apps are vulnerable to victims unknowingly inputting their information on the phishing websites. Some browser extensions can warn users if they try to enter their credentials on a website that isn’t legitimate.
Paubox Email Suite Plus offers a strong defense system that blocks techniques such as display name spoofing while providing up-to-date protection with advanced threat detection.
Training employees to make sure they’re authenticating on the correct website with the right domain name is still an effective preventative measure for defeating phishing attacks. For example, teaching employees to recognize that most phishing sites are HTTPS-enabled because certificates can be acquired for free, so the indication of TSL/SSL and a valid certificate are no longer enough to judge a website as legitimate.
Preparedness and vigilance are essential security requirements with such powerful techniques now easily available to a greater amount of hackers. These automated phishing attacks can rapidly shut down or damage an organization that’s not aware of the latest threats.