Automated phishing attacks that defeat 2FA are now easier

Featured image

Share this article

Hacker with laptop computer displaying “you’ve been hacked” on the screen

Now hackers can automate phishing attacks while bypassing two-factor authentication (2FA) without detection using the new tools Muraena and NecroBrowser

This means that organizations need to upgrade their anti-phishing protection and training to defend themselves against this threat. 

The Muraena and NecroBrowser toolkit was developed by researchers Michele Orru and Guiseppe Trotta to show that current techniques to combat phishing attacks such as Subresource Integrity (SRI), Content Security Policy (CSP), and 2FA are not invincible and their compromise can be automated.   

Traditional vs. automated phishing attacks: What’s the difference?

The proxy-based attack strategy that Muraena and NecroBrowser deploy has been known for a while but it once needed deep technical knowledge and the configuration of many independent tools to achieve. It also required a hacker to manually abuse stolen cookie sessions before they expired. 

Muraena and NecroBrowser can defeat the 2FA protections and automate most of the phishing process, allowing phishing attacks to be easily implemented by more hackers. 

Traditional phishing attacks depend on fake login pages hosted on hacker-controlled web servers that are served from custom domains with similar names to targeted websites. 

These static attacks fail against two-factor authentication because they don’t interact with legitimate websites to generate one-time-use codes. Without these codes, attackers can’t log in with the phished credentials.   

To bypass 2FA, phishing websites need to function as proxies that forward requests to legitimate websites to deliver back a response. This allows the hacker to obtain usernames, passwords, and session cookies to access accounts without the need to authenticate. 

What you can do to safeguard your organization from automated phishing

Some 2FA implementations that use USB hardware tokens with support for the Universal 2nd Factor (U2F) standard can defeat proxy-based phishing. 

These tokens establish a cryptographically verified connection through the browser to a legitimate website without traveling through the hacker’s reverse-proxy.   

2FA solutions that are based on codes received over SMS or mobile authenticator apps are vulnerable to victims unknowingly inputting their information on the phishing websites. 

Some browser extensions can warn users if they try to enter their credentials on a website that isn’t legitimate. 

Paubox Email Suite Plus offers a strong defense system that blocks techniques such as display name spoofing while providing up-to-date protection with advanced threat detection.

Conclusion

Training employees to make sure they’re authenticating on the correct website with the right domain name is still an effective preventative measure for defeating phishing attacks. 

For example, teaching employees to recognize that most phishing sites are HTTPS-enabled because certificates can be acquired for free, so the indication of TSL/SSL and a valid certificate are no longer enough to judge a website as legitimate. 

Preparedness and vigilance are essential security requirements with such powerful techniques now easily available to a greater amount of hackers. These automated phishing attacks can rapidly shut down or damage an organization that’s not aware of the latest threats. 

Try Paubox Email Suite for FREE today.
Author Photo

About the author

Heather C. Orr

Read more by Heather C. Orr

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022