Since the introduction of multi-factor authentication (MFA), threat actors have been finding ways to get around what can be an effective defense against phishing attacks.
In their latest move, those behind the Sneaky2FA phishing-as-a-service (PhaaS) kit have added browser-in-the-browser (BITB) functionality to help crooks design phishing pages that fool victims.
This function allows the crook to embed a browser window on the victim’s desktop containing a phishing page that includes a URL address bar that can be customized by the attacker to look like a legitimate address to, for example, Microsoft online. BITB differs from attacker-in-the-middle (AITM) attacks, where the threat actor creates an embedded browser window that contains the actual phishing page.
Employees trained to look for suspicious URLs might even be fooled, because the internet address looks real. However, the pop-up window, enabled through a reverse proxy, contains an iframe pointing to a malicious server that captures credentials and MFA codes entered by the unwitting victim. Then the attacker can steal the live session of the account being targeted, as well as user credentials, by logging in in real time.
A warning to CSOs
The report this week from researchers at Push Security describing the Sneaky2FA browser-in-the-browser capability is a warning to CSOs that they have to adapt their employee security awareness training as well as their defensive technology.
BITB tactics are spreading, says the report. It notes that Raccoon0365 was another PhaaS service that has utilized BITB functionality after announcing a ‘BITB mini-panel’ would be added to its offerings. In September, Cloudflare and Microsoft dismantled that gang’s IT infrastructure.
BITB has been known as a concept since 2022, notes David Shipley, head of Canadian-based security awareness training firm Beauceron Security. In fact, he added, it is increasingly used by advanced red teams in penetration tests to defeat security controls like MFA.
“It hasn’t been widely used because it hasn’t been needed to get the job done when it comes to compromising organizations,” he said. But as defenses improve, he’s seen use of this technique increase.
What’s dangerous, he said, is that phishing-as-a-service tools are making it easier for entry-level criminals to use these more advanced techniques.
“This is why I’ve always hated it when people use language like ‘phishing resistant,’ or even worse, ‘phishing proof’ solutions. Additional identity controls like MFA add more friction and resiliency, but can still be bypassed by clever attackers. That’s why it’s critical organizations have both robust technology security control as well as an aware community.”
That means CSOs and infosec leaders have to do more than just annual compliance-driven security training, Shipley said, instead motivating employees to keep an eye out for unusual things in messaging so they spot and stop phishing and other cyber attacks.
“That’s where many organizations are struggling,” he said. “Not in instructing people or passing on knowledge, but in creating a security culture that motivates people to apply knowledge.”
Related content: How MFA gets hacked
The addition of BITB, along with the improvement of detection evasion techniques, means that traditional security controls such as email gateways, web filters, and signature-based defenses will continue to be reliably bypassed, Push Security’s report says.
A look at Sneaky2FA
Sneaky2FA operates through a full-featured bot on Telegram, says the report. Customers reportedly receive access to a licensed, obfuscated version of the source code and deploy it independently. This means they can customize it to their needs. On the other hand, the report notes, Sneaky2FA implementations can be reliably profiled and tracked due to the codebase similarities.
Sneaky2FA has been frequently seen using anti-analysis techniques to detect or disable browser developer tools so they can block attempts to analyze the page for malicious content, the report adds.
Defenders should note that the HTML and JavaScript of Sneaky2FA pages are heavily obfuscated to evade static detection and pattern-matching, the report says. This includes using tactics such as breaking up UI text with invisible tags, embedding background and interface elements as encoded images instead of text, and other changes that are invisible to the user, but make it hard for scanning tools to fingerprint the page.
Campaigns are also known to use a ‘burn-and-replace’ tactic, hiding behind a fresh, long, randomized URL that lies dormant or serves harmless content until right before the attack, and then quickly vanishes. This is to defeat domain reputation or pattern-matching defense technologies.
A game of cat and mouse
Dan Green, author of the Push Security report, told CSO in an email that email isn’t the only way BITB attacks are spreading. In the past several months, his firm has seen LinkedIn Messenger and Google Search being used as well.
“We would encourage security teams to re-evaluate how they approach phishing detection,” he said. “[Phishing] is becoming increasingly sophisticated, it’s no longer just an email problem, and the risks are significant. A compromised enterprise cloud account (for example, Microsoft or Google Workspace) is effectively the key to everything you access in the course of the modern workday. This isn’t just the direct access to your enterprise cloud suite, but the downstream application access via SSO (single sign-on) that can be hijacked by the attacker. Most breaches start with compromised identities today, compared with software exploits or malware execution.”
Roger Grimes, data driven defense CISO advisor at security awareness training provider KnowBe4, noted that browser vendors have worked for decades trying to prevent malicious popup boxes from appearing because they are so tricky. However, he added, criminals keep on figuring out ways to bypass the protections.
On the other hand, he added, it is getting ever harder for criminals to create malicious popup boxes. Users still have a chance to see what is happening if they are aware, he said. “Sadly,” he said, “a large percentage of users don’t.”
Educating users by providing information and examples of how browser pop-up attacks work is key, he said. In addition, CSOs should make sure browsers used by employees are as well configured as they can be to prevent these types of attacks.
“Browser vendors will respond and close the holes, but it’s always a reactive game of cat-and-mouse with the defenders always behind.” he said. “Pretty soon AI-enabled defense tools will do a better job at preventing them from happening at all. We just have to cover the gap for now.”
No Responses