Recently, it has been revealed that there is a new tool that can be used by hackers to make phishing attacks, bypassing two-factor authentication. Worse, it's not easy to locate and block. This tool makes it easier to attack, so companies will need to take protective measures.
The new tool was presented at the Hack in the Box in Amsterdam, and was released at GitHub after a few days. It consists of two elements: A reverse-proxy, called Muraena and a Docker container, called NecroBrowser.
Typically, phishing attacks, victims are transferred to fake pages, hacked. However, these attacks are not particularly effective when using two-factor authentication.
To circumvent the two-factor authentication, phishing sites need to work your proxies to transfer requests on behalf of the victims to legitimate sites and respond in real time. The ultimate goal is to enable session status cookies through which legitimate sites are linked to user accounts. These cookies can be placed in a browser where direct access to linked user accounts will be available without certification.
This proxy-based technique has been known for some time now. However, its use to carry out attacks was not a simple matter, as it required many technical knowledge and many tools, such as NGINX web server to act as reverse-proxy. Then, hackers would have to manually abort the stolen session status cookies. Another obstacle is that some sites use technologies to prevent proxying.
Oh, yeah Muraena and NecroBrowser designed to bypass these protection measures and make procedures faster by allowing more and more hackers to attack. The tools were created by researchers Michele Orru and Giuseppe Trotta.
How do Muraena and NecroBrowser work?
Muraena has used the language programming Go. This means that Muraena can be run on any platform available to Go. Hackers can use it to modify their phishing domain and obtain a legitimate certificate.
The tool has a reverse-proxy server and a crawler that automatically determines the resources that will be used by the legitimate site. The proxy processes the requests received by the victim before forwarding them.
The crawler automatically creates a JSON file that is modified and can bypass various defenses on more complex web pages.
When the victim is transferred to a phishing page to which Muraena has been applied, the login process will be done exactly as it is on a real site. You will be prompted for the two-factor authentication code, and once the check process is complete, the proxy will steal the session status cookies.
Cookies are saved by the browser in a file. Thus, hackers can access their linked accounts for a certain amount of time without requiring a password again.
Muraena then passes the stolen cookies to NecroBrowser, which immediately begins their misuse.
The abuse involves downloading screenshots of E-mail, reset password, collect information about contacts and friends on social media, send phishing emails to friends, and more.
How to protect yourself from these phisihng attacks?
It seems that it is very difficult to have complete protection from these attacks, since this tool was made to bypass the existing protection measures.
However, not all two-factor authentication methods can be circumvented. For example, those using USB hardware tokens with support for the Universal 2nd Factor (U2F) can not be bypassed. This is due to the fact that these USB tokens are associated with particular encryption processes with the legitimate site, through the browser, and do not pass through the invader's reverse-proxy.
Instead, code-based, SMS-based or application-generated checks are vulnerable. This is because the victims enter the code manually, so there is a risk that they will be entered into a phishing site.
Another measure of protection is the use of an extension that checks if the user enters his credentials on the correct site. Google has such an extension for Chrome. It is called Password Alert and warns users if they attempt to place their credentials on a site that does not belong to Google.
Users must be trained to recognize false pages and be constantly alert. TLS / SSL protocols and valid certificates are not enough to legitimize a site. Certificates can now be obtained for free, so most phishing sites can be displayed with HTTPS.