Why 2FA Multi-factor Authentication is no Longer Sufficient to Stop Phishing

The evolution of phishing

Phishing has evolved significantly since its inception in the 1990s. Initially crude and unsophisticated, early phishing attempts typically involved simplistic emails that lured recipients into disclosing personal information through fake websites. As internet users became more aware of these tactics, phishers adapted, employing more sophisticated techniques such as spear phishing, where personalized messages are crafted to target specific individuals or organizations. Furthermore, the emergence of social media and mobile technology has provided new avenues for phishing attacks, with perpetrators leveraging these platforms to manipulate users into revealing sensitive information or installing malware. 

Phishing kits have emerged as a natural evolution of phishing tactics, driven by the increasing sophistication and commercialization of cybercrime. In the early days of phishing, attacks were often carried out by individual hackers or small groups who manually created phishing emails and websites. However, as the scale and complexity of phishing attacks grew, cybercriminals began to seek more efficient and scalable methods. These kits typically include a range of tools and resources that streamline the process of creating and deploying phishing attacks.

Phishing as a Service (PaaS) has evolved significantly, offering malicious actors a lucrative business model for earning money through various means. Overall, the evolution of PaaS has provided malicious actors with a profitable and efficient means of conducting phishing attacks, highlighting the ongoing challenge posed by cybercrime to individuals and organizations worldwide.

Protection against phishing

Today’s hybrid work models and reliance on web-based applications have made the browser the de facto operating system of the enterprise and the most common target of cyberattacks.  As such, implementing technological measures is now essential for safeguarding yourself and your organization. 

Email and URL filtering solutions are a good start, and two factor authentication (2FA) is widely believed to be one of the most efficient protections from malicious attempts to steal your credentials. By requiring users to provide two forms of identification to access an account, typically a password and a unique code sent to their phone or email, 2FA makes it more difficult for attackers to gain unauthorized access even if they have obtained the user’s password through phishing. This is because the second factor of authentication is dynamic and changes frequently, making it much harder for attackers to predict or replicate.

Why 2FA is no longer effective in preventing phishing

2FA was quite effective in stopping Phishing until the appearance of a “Reverse Proxy” attacker technique that is used to overcome two-factor authentication (2FA) by intercepting and manipulating traffic between a user and a target website. In this scenario, the attacker sets up a reverse proxy server that sits between the user and the legitimate website. When the user tries to access the website, the request is first sent to the proxy server, which then forwards it to the legitimate website. The website responds to the proxy server, which in turn forwards the response to the user.

The reverse proxy can be configured to capture the user’s credentials, including any 2FA tokens, before passing them on to the legitimate website. This allows the attacker to authenticate themselves using the stolen credentials and bypass the 2FA mechanism. To the user, the interaction appears normal, as they are interacting with the legitimate website through the proxy server.

The Rise of the Phishing Kits

One of the most recent phishing kits called “Tycoon 2FA” associated with the Adversary-in-The-Middle (AiTM) technique discovered by Sekoia Threat Detection & Research (TDR) team” raised significant concerns in the cybersecurity community due to its effectiveness and wide spread.

The examination found that the kit has emerged as one of the most prevalent AiTM phishing kits, with over 1,100 domain names identified between October 2023 and February 2024.

The Tycoon 2FA phishing kit functions through multiple stages to carry out its malicious activities effectively. Initially, victims are directed via email attachments or QR codes to a page featuring a Cloudflare Turnstile challenge designed to prevent unwanted traffic. After successfully completing this challenge, users encounter a fake Microsoft authentication page, where their credentials are collected. Following this, the phishing kit transmits this information to the legitimate Microsoft authentication API, intercepting session cookies to bypass Multi-Factor Authentication (MFA).

If this wasn’t enough Sekoia additionally warned about potential links between Tycoon 2FA and other established phishing platforms, indicating potential shared infrastructure and code bases with enhanced obfuscation, anti-detection capabilities and changes in network traffic patterns. To understand the scale of the operation the report also provides additional insights behind Tycoon 2FA operation:

“The threat actor, who is also the alleged developer of the phishing kit, sells ready-to-use Microsoft 365 and Gmail phishing pages, as well as attachment templates, starting at $120 for 10 days, with prices increasing depending on the TLD. In March 2023, the phishing service provided several domain name extensions, including .ru, .su, .fr, .com, .net and .org.”

Tycoon 2FA is only the latest of the large list of AiTM phishing kits that include Caffeine, Dadsec, EvilProxy, NakedPages and more and it is now clearer than ever that 2FA will not keep you or your organization safe.

What to do to prevent modern phishing attacks

To date organizations have become dependent on training users to help them spot and avoid phishing attempts.  Unfortunately, as attackers get better at tricking users into believing they are clicking safely into emails and webpages, phishing continues to be successful.  

To address AiTM and other sophisticated phishing attacks, Seraphic has created a unique and holistic approach.  Instead of having to trust users to avoid phishing links, prevention is automated in an easy to deploy browser control.  By constantly monitoring user actions and all runtime events, Seraphic detects and prevents even the most sophisticated phishing and other web-born attacks. 

For more information about Seraphic and its unique approach to blocking phishing attempts, download our Enterprise Browser Security White Paper, or request a demo.

Please leave your details:

Sent successfully!


Please leave your details to view content:

Request a Demo