Phishing attacks that can bypass 2-factor authentication. Where 2FA normally offers an extra layer of protection that is lacking in single-layer protection provided by usernames and passwords. In most cases, that should give businesses some much-needed peace of mind.

But hackers are forever finding ways to circumvent any security measures developed to thwart their malicious efforts. In late 2019, the FBI issued a Privacy Industry Notification alerting industry groups to a particular vulnerability in 2FA: that criminals are able to bypass it with a combination of familiar techniques, among them social engineering and man-in-the-middle attacks.

Just a few months later, the coronavirus shook the world and sent businesses scrambling to stay operational. It has also created opportunities that cybercriminals are only too happy to exploit.

This means that businesses relying on 2FA need to be extra careful in protecting their data now more than ever.  

Here are 4 phishing attacks that can bypass 2-factor authentication:  

1. Man-in-the-browser (MitB) / man-in-the-middle attacks

Two mistaken beliefs shared by many organizations are key to ensuring that your data is safe:

  • Even if staff’s credentials are stolen, your data is still safe if you have 2FA.
  • It’s perfectly safe for staff to use any browser extensions (e.g., converters, file viewers, or ad blockers), to boost productivity.   

https://www.technologyvisionaries.com/two-factor-authentication-reduce-breach/2FA and stolen credentials

2-factor authentication successfully thwarts traditional, static phishing attacks—the ones that most people are familiar with. These attacks involve fake login pages that attackers host on web servers that they control and serve from custom domains with names similar to the names of the targeted websites to trick users into logging in. 

With 2-factor authentication, the second factor in the log-in sequence involves the generation of one-time-use codes—by the legitimate website—that the user has to provide in order to access their account.   

In traditional phishing, attackers can’t get their hands on these codes because the first login sequence does not occur on the legitimate website, which then doesn’t get the prompt to generate the one-time-use codes. This means attackers can’t log in using the credentials they have phished.

This scenario leads many organizations to believe they’re protected from phishing even if the staff’s log-in credentials are stolen.  

Proxy based Phishing

One way that attackers beat 2FA is by making their phishing websites act as proxies that forward requests on behalf of the victims to the legitimate websites and then deliver the responses back in real time. The goal here is to automate phishing. What the attackers are after, rather than just usernames and passwords, are the active session tokens, or session cookies, that the legitimate websites associate with logged-in accounts. 

Once these session cookies are in the hands of the attackers, they can be placed inside a browser to get direct access to the accounts they’re associated with, effectively bypassing authentication.

This proxy-based phishing is not new, but now it’s much easier for attackers to carry out with Muraena and Necro Browser: 

Muraena (named for an eel family) is an almost-transparent reverse proxy aimed at automating phishing and post-phishing activities. Once a user lands on a Muraena-powered phishing site, the login sequence mirrors the one on the real website: The user is asked for their 2FA code, and after authentication is completed, the Muraena steals the session cookie. 

NecroBrowser is a microservice that facilitates the hijacking of legitimate authentication sessions. When the attackers feed the sessions that are hauled in during phishing campaigns, the service will then perform actions on the victims’ behalf.

2FA and browser extensions

Many organizations are rather confident about their employees using browser extensions to boost productivity. The thing is, while these extensions often have legitimate business functionality, some also have a “side” hustle—which explains why they are free. Some extensions include the hidden functionality of a man-in-the-middle spyware. This is designed to scrape, use, or sell data—a move that can include the capture of 2FA log-in info or data accessed during specific browser sessions. 

Attackers can use browser extensions to breach organizations that rely heavily on 2FA. Since a browser extension gains access to the complete canvas of the browser upon installation. From there, they can monitor sessions and reel in whatever data is available. 

Malicious extensions can simply wait for the 2FA login to complete and then get to work harvesting data.

2. Technical support scams

Fake scans and backdoors feature prominently in technical support scams. Bypassing 2FA security protocols by this means involves successfully convincing users to install a TeamViewer or some other LogMeIn software capable of remote login. 

Once they’re in, scammers can now run a fake scan, while the TeamViewer session is left open so it can be sold. Malicious actors running tech support scams install a functioning backdoor on a device that provides full backdoor capability. 

Access to devices compromised by tech support scams naturally wind up for sale on the Dark Web and are practically impossible to find, even by the best-of-breed AV. As well. 2FA cannot prevent this particular phishing scheme.

3. Fake 2FA pages or pop-ups 

Phishers’ level of sophistication enables them to mimic legitimate authentication websites. These malicious actors can lure unsuspecting users into fake sites. These boast of a login experience that looks exactly just like their normal 2FA experience, but, of course, captures their user credentials and authentication codes.  

While this attack doesn’t compromise the actual session token, the user is nevertheless tricked into providing additional security credentials. Or qualifying data they might normally provide in a password recovery experience. The harvested data can then be used by malicious actors to access one or more corporate systems.

4. Scareware

This phishing tactic is a recent one and targets journalists and activists in the Middle East and North Africa in particular. Hundreds of Google and Yahoo accounts were targeted, resulting in the successful bypassing of 2FA security protocols.

Attackers subverting 2FA solutions with scareware. By sending out security alerts that look like those sent by real providers. Prompting users to reset passwords due to a security threat/breach.

Don’t overestimate your 2FA security protocols.

Consider reinforcing 2FA with a second authentication method. Or you can upgrade to multiple-factor authentication (MFA) used in tandem with single sign-on (SSO). 


TraitWare has you covered. Explore our enterprise-level solutions today.