Multi-factor authentication (MFA) has long been touted as a robust security measure against phishing attacks, but sophisticated threat actors have developed new techniques to circumvent these protections. Rather than simply creating fake landing pages to harvest credentials, attackers now position themselves between victims and legitimate websites, intercepting both login credentials and the authentication cookies generated after successful MFA completion. When a victim receives a phishing email and clicks on a malicious link, they’re directed to the attacker’s reverse proxy server rather than the legitimate site. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. A concerning trend has emerged where cybercriminals are successfully bypassing MFA through adversary-in-the-middle (AiTM) attacks implemented via reverse proxies, effectively rendering traditional MFA solutions vulnerable. This sophisticated approach allows attackers to gain full access to protected accounts despite the presence of MFA security measures. The attack proceeds through several phases: first, the victim submits their username and password, which the attacker captures as it passes through the reverse proxy. Once compromised, attackers often establish persistence by adding their own MFA devices to victims’ accounts, maintaining long-term access even if the original credentials are changed. The attacker then relays these credentials to the legitimate site, triggering a genuine MFA request to the victim. Products such as Tycoon 2FA, Rockstar 2FA, and Evilproxy provide turnkey solutions that enable even technically unsophisticated threat actors to conduct complex MFA bypass operations with minimal effort or understanding of the underlying mechanisms. Upon approval, the legitimate site sends an authentication cookie back through the attacker’s proxy where it’s intercepted. This approach uses public key cryptography and binds credentials to specific website origins, making it resistant to these proxy-based interception techniques. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. The attacker now possesses both the login credentials and a valid authentication token, effectively bypassing the MFA protection. The impact of these attacks extends across organizations of all sizes, with particular vulnerability among those who have implemented traditional push-notification or code-based MFA systems.
This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 02 May 2025 16:00:07 +0000