Phishing remains a top security threat. In fact, it remains the #1 attack vector and stealing identities is the primary goal. According to the 2022 Phishing Activity Trends Report from APWG, 1,098,811 total phishing attacks were observed, marking “a new record and the worst quarter for phishing that APWG has ever observed.” In addition to the increased number of phishing attacks, attackers are expanding their arsenal and turning up the heat on potential victims with increasingly sophisticated tactics, techniques, and procedures (TTPs) like Browser-in-the-Browser (BitB) Phishing Attacks, Business Email Compromise (BEC), and Adversary-in-the-Middle (AiTM) which enables attackers to steal session cookies and bypass MFA security protection.
Adversary-in-the-Middle (AiTM) Phishing Attack
Adversary-in-the-Middle (AiTM) is a phishing technique allowing attackers to hijack a user’s sign-in session, intercept the user’s password and session cookie, and then get authenticated to a session on the user’s behalf. Once the attackers have successfully captured the user’s credentials and session cookies, they move to the next phase of the attack by accessing compromised users’ mailboxes to launch BEC campaigns against other targets.
MITRE ATT&CK
MITRE ATT&CK Technique T1557: Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as Network Sniffing or Transmitted Data Manipulation. By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.
How the Attack Works
AiTM phishing attacks leverage Man-in-the-Middle frameworks like Evilginx2, Muraena, or Modilshka to deploy a proxy server between the user and targeted website so that recipients of a phishing email are redirected to lookalike landing pages designed to capture credentials and MFA information. As explained by Microsoft Security, the phishing page has two different Transport Layer Security (TLS) sessions — one with the target and another with the actual website the target wants to access. The phishing page then functions as an AiTM agent, intercepting the whole authentication process and extracting valuable data from the HTTP requests such as passwords and, more importantly, session cookies. Once in possession of this information, the attackers injected the cookies into their own browsers to circumvent the authentication process, regardless of whether the victim had enabled MFA protection.
Options for Protecting Against AiTM Phishing Attacks
Fast ID Online (FIDO) v2.0
While MFA protocol has its limitations for protecting users from phishing attempts, as in the case of AiTM, it doesn’t mean that it should be tossed aside as any kind of effort to make yourself a hardened target will deter the swaths of attackers just looking for low-hanging fruit. However, it does require organizations to evolve towards making their MFA solutions ‘phish-resistant’ by investing in more advanced solutions, like those that support Fast ID Online (FIDO) v2.0 and certificate-based authentication. Better yet, investing in solutions like zvelo’s PhishBlocklist that block the phishing pages from being accessed entirely will offer the most robust protection.
PhishBlocklist Protection for AiTM
Once a user lands on the attacker’s phishing page, it’s too late for any security layer to protect against the credential harvesting. And, just like attackers are coming up with ways to subvert the MFA protection, eventually, they’ll likely find a way around FIDO v2.0. Rather than focusing on an authentication method PhishBlocklist delivers comprehensive protection against AiTM by blocking users from accessing the phishing page for maximum protection against credential harvesting TTPs that lead to ransomware, breaches, and other cyber-attacks. PhishBlocklist, one of the zveloCTI™ Cyber Threat Intelligence feeds, has proven market-leading detection coverage and speed of active phishing threats from the global ActiveWeb traffic stream across web surfing, email, SMS/text and other applications. Further enhanced with zvelo’s predictive phishing detection, PhishBlocklist delivers validated active phishing threats that are enriched with additional metadata attributes like date detected, targeted brand, phishing campaign identification, and more.
