Researchers have uploaded a proof on concept for a phishing attack that would bypass two-factor authentication while leaving the user unaware. The technique, which is currently public on Microsoft's GitHub, makes use of a Docker container and reverse proxy. The Muraena reverse proxy combines with a Docker-based tool called Necrobrowser for automating headless Chromium instances. Using Muraena, which is written in Go, attackers can configure their domain for a legitimate Let's Encrypt certificate. A web works as a reverse proxy and pulls regular 2FA resources from a legitimate site. The end result is that a user can visit a phishing site with a real certificate and enter their 2FA code with no warnings. The site will then save the session cookie and can pass it onto Necrobrowser, which can open thousands of Chromium instances to perform tasks like logging in and screenshotting emails, performing password resets or setting up mail forwarding. The Necrobrowser instances can even be used to phish social media contacts.
Researchers Upload Easier 2FA Phishing Method to Microsoft’s GitHub
Two new tools let attackers perform sophisticated 2FA-inclusive phishing attacks with relative ease, leaving the user unaware that their token has been stolen and automatically taking screenshots or setting up email forwarding.