Samsung: Check your smart TVs for malware!
infosec

Samsung: Check your smart TVs for malware!

Two years ago, in particular in 2017 in May, Wikileaks revealed that the CIA used software, the ...
Read More
infosec

ACU: University of Australia fell victim to phishing

Another phishing strike was recently reported at a Catholic University of Australia (ACU). The ACU announced that it ...
Read More
infosec

Coincheck: Russian hackers behind the theft of 530 million dollars?

In January of 2018, the Japanese exchange platform, Coincheck, received an attack, resulting in the loss of the New Economy Movement (NEM) ...
Read More
infosec

Echobot malware is a new version of Mirai!

If there is one thing that seems to have no end to security issues are the authors of malware who ...
Read More
infosec

Mermaids: Personal messages spilled between the organization and parents of transgender children

Mermaids UK is an organization founded by parents of transgender children and aims to support these children ....
Read More
Latest Posts

A new tool facilitates phishing attacks, bypassing two-factor authentication

PhishingRecently, it has been revealed that there is a new tool that can be used by hackers to make phishing attacks, bypassing two-factor authentication. Worse, it's not easy to locate and block. This tool makes it easier to attack, so companies will need to take protective measures.

The new tool was presented at the Hack in the Box in Amsterdam, and was released at GitHub after a few days. It consists of two elements: A reverse-proxy, called Muraena and a Docker container, called NecroBrowser.

Man-in-the-middle attacks

Typically, phishing attacks, victims are transferred to fake pages, hacked. However, these attacks are not particularly effective when using two-factor authentication.

To circumvent the two-factor authentication, phishing sites need to work your proxies to transfer requests on behalf of the victims to legitimate sites and respond in real time. The ultimate goal is to enable session status cookies through which legitimate sites are linked to user accounts. These cookies can be placed in a browser where direct access to linked user accounts will be available without certification.

This proxy-based technique has been known for some time now. However, its use to carry out attacks was not a simple matter, as it required many technical knowledge and many tools, such as NGINX web server to act as reverse-proxy. Then, hackers would have to manually abort the stolen session status cookies. Another obstacle is that some sites use technologies to prevent proxying.

Oh, yeah Muraena and NecroBrowser designed to bypass these protection measures and make procedures faster by allowing more and more hackers to attack. The tools were created by researchers Michele Orru and Giuseppe Trotta.

How do Muraena and NecroBrowser work?

Muraena has used the language programming Go. This means that Muraena can be run on any platform available to Go. Hackers can use it to modify their phishing domain and obtain a legitimate certificate.

The tool has a reverse-proxy server and a crawler that automatically determines the resources that will be used by the legitimate site. The proxy processes the requests received by the victim before forwarding them.

The crawler automatically creates a JSON file that is modified and can bypass various defenses on more complex web pages.

When the victim is transferred to a phishing page to which Muraena has been applied, the login process will be done exactly as it is on a real site. You will be prompted for the two-factor authentication code, and once the check process is complete, the proxy will steal the session status cookies.

Cookies are saved by the browser in a file. Thus, hackers can access their linked accounts for a certain amount of time without requiring a password again.

Muraena then passes the stolen cookies to NecroBrowser, which immediately begins their misuse.

The abuse involves downloading screenshots of E-mail, reset password, collect information about contacts and friends on social media, send phishing emails to friends, and more.

How to protect yourself from these phisihng attacks?

It seems that it is very difficult to have complete protection from these attacks, since this tool was made to bypass the existing protection measures.

However, not all two-factor authentication methods can be circumvented. For example, those using USB hardware tokens with support for the Universal 2nd Factor (U2F) can not be bypassed. This is due to the fact that these USB tokens are associated with particular encryption processes with the legitimate site, through the browser, and do not pass through the invader's reverse-proxy.

Instead, code-based, SMS-based or application-generated checks are vulnerable. This is because the victims enter the code manually, so there is a risk that they will be entered into a phishing site.

Another measure of protection is the use of an extension that checks if the user enters his credentials on the correct site. Google has such an extension for Chrome. It is called Password Alert and warns users if they attempt to place their credentials on a site that does not belong to Google.

Users must be trained to recognize false pages and be constantly alert. TLS / SSL protocols and valid certificates are not enough to legitimize a site. Certificates can now be obtained for free, so most phishing sites can be displayed with HTTPS.

Do you have an opinion? Leave your comment.

The author allows you to copy his / her text only if you report the source (SecNews.gr), as an e-mail address (Live URL) of the article.
Updated on by

Reader Interactions

Leave a reply

Your email address is not published. Τα υποχρεωτικά πεδία σημειώνονται με *