{"id":5889,"date":"2025-11-21T02:03:54","date_gmt":"2025-11-21T02:03:54","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=5889"},"modified":"2025-11-21T02:03:54","modified_gmt":"2025-11-21T02:03:54","slug":"sneaky2fa-phishing-tool-adds-ability-to-insert-legit-looking-urls","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=5889","title":{"rendered":"Sneaky2FA phishing tool adds ability to insert legit-looking URLs"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Since the introduction of multi-factor authentication (MFA), threat actors have been finding ways to get around what can be an effective defense against phishing attacks.<\/p>\n

In their latest move, those behind the Sneaky2FA phishing-as-a-service (PhaaS) kit have added browser-in-the-browser (BITB) functionality to help crooks design phishing pages that fool victims.<\/p>\n

This function allows the crook to embed a browser window on the victim\u2019s desktop containing a phishing page that includes a URL address bar that can be customized by the attacker to look like a legitimate address to, for example, Microsoft online. BITB differs from attacker-in-the-middle (AITM) attacks, where the threat actor creates an embedded browser window that contains the actual phishing page.\u00a0<\/p>\n

Employees trained to look for suspicious URLs might even be fooled, because the internet address looks real. However, \u00a0the pop-up window, enabled through a reverse proxy, contains an iframe pointing to a malicious server that captures credentials and MFA codes entered by the unwitting victim. Then the attacker can steal the live session of the account being targeted, as well as user credentials, by logging in in real time.<\/p>\n

A warning to CSOs<\/h2>\n

The report this week from researchers at Push Security <\/a>describing the Sneaky2FA browser-in-the-browser capability is a warning to CSOs that they have to adapt their employee security awareness training as well as their defensive technology.<\/p>\n

BITB tactics are spreading, says the report. It notes that Raccoon0365 was another PhaaS service that has utilized BITB functionality after\u00a0announcing a \u2018BITB mini-panel\u2019 would be added to its offerings. In September, Cloudflare and Microsoft dismantled that gang\u2019s IT infrastructure<\/a>.<\/p>\n

BITB has been known as a concept since 2022, notes David Shipley, head of Canadian-based security awareness training firm Beauceron Security. In fact, he added, it is increasingly used by advanced red teams in penetration tests to defeat security controls like MFA.<\/p>\n

\u201cIt hasn\u2019t been widely used because it hasn\u2019t been needed to get the job done when it comes to compromising organizations,\u201d he said. But as defenses improve, he\u2019s seen use of this technique increase.<\/p>\n

What\u2019s dangerous, he said, is that phishing-as-a-service tools are making it easier for entry-level criminals to use these more advanced techniques.\u00a0<\/p>\n

\u201cThis is why I\u2019ve always hated it when people use language like \u2018phishing resistant,\u2019 or even worse, \u2018phishing proof\u2019 solutions. Additional identity controls like MFA add more friction and resiliency, but can still be bypassed by clever attackers. That\u2019s why it\u2019s critical organizations have both robust technology security control as well as an aware community.\u201d\u00a0<\/p>\n

That means CSOs and infosec leaders have to do more than just annual compliance-driven security training, Shipley said, instead motivating employees to keep an eye out for unusual things in messaging so they spot and stop phishing and other cyber attacks.<\/p>\n

\u201cThat\u2019s where many organizations are struggling,\u201d he said. \u201cNot in instructing people or passing on knowledge, but in creating a security culture that motivates people to apply knowledge.\u201d<\/p>\n

Related content: How MFA gets hacked<\/a><\/strong><\/p>\n

The addition of BITB, along with the improvement of detection evasion techniques, means that traditional security controls such as email gateways, web filters, and\u00a0signature-based defenses will continue to be reliably bypassed, Push Security\u2019s report says.\u00a0<\/p>\n

A look at Sneaky2FA<\/h2>\n

Sneaky2FA operates through a full-featured bot on Telegram, says the report. Customers reportedly receive access to a licensed, obfuscated version of the source code and deploy it independently. This means they can customize it to their needs. On the other hand, the report notes, Sneaky2FA implementations can be reliably profiled and tracked due to the codebase similarities.<\/p>\n

Sneaky2FA has been frequently seen using\u00a0anti-analysis techniques to detect or\u00a0disable browser developer tools\u00a0so they can block attempts to analyze the page for malicious content, the report adds.<\/p>\n

Defenders should note that the HTML and JavaScript of Sneaky2FA pages are heavily obfuscated\u00a0to evade static detection and pattern-matching,\u00a0the report says. This includes using tactics such as\u00a0breaking up UI text with invisible tags, embedding background and interface elements as encoded images instead of text, and other changes that are invisible to the user, but make it hard for scanning tools to fingerprint the page.<\/p>\n

Campaigns are also known to use a \u2018burn-and-replace\u2019 tactic, hiding behind a fresh, long, randomized URL that lies dormant or serves harmless content until right before the attack, and then quickly vanishes. This is to defeat domain reputation or pattern-matching defense technologies.<\/p>\n

A game of cat and mouse<\/h2>\n

Dan Green<\/a>, author of the Push Security report, told CSO <\/em>in an email that email isn\u2019t the only way BITB attacks are spreading. In the past several months, his firm has seen LinkedIn Messenger and Google Search being used as well.<\/p>\n

\u201cWe would encourage security teams to re-evaluate how they approach phishing detection,\u201d he said. \u201c[Phishing] is becoming increasingly sophisticated, it\u2019s no longer just an email problem, and the risks are significant. A compromised enterprise cloud account (for example, Microsoft or Google Workspace) is effectively the key to everything you access in the course of the modern workday. This isn\u2019t just the direct access to your enterprise cloud suite, but the downstream application access via SSO (single sign-on) that can be hijacked by the attacker. Most breaches start with compromised identities today, compared with software exploits or malware execution.\u201d<\/p>\n

Roger Grimes<\/a>, data driven defense CISO advisor at security awareness training provider KnowBe4, noted that browser vendors have worked for decades trying to prevent malicious popup boxes from appearing because they are so tricky. However, he added, criminals keep on figuring out ways to bypass the protections.<\/p>\n

On the other hand, he added, it is getting ever harder for criminals to create malicious popup boxes. Users still have a chance to see what is happening if they are aware, he said. \u201cSadly,\u201d he said, \u201ca large percentage of users don\u2019t.\u201d<\/p>\n

Educating users by providing information and examples of how browser pop-up attacks work is key, he said. In addition, CSOs should make sure browsers used by employees are as well configured as they can be to prevent these types of attacks.<\/p>\n

\u201cBrowser vendors will respond and close the holes, but it\u2019s always a reactive game of cat-and-mouse with the defenders always behind.\u201d he said. \u201cPretty soon AI-enabled defense tools will do a better job at preventing them from happening at all. We just have to cover the gap for now.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Since the introduction of multi-factor authentication (MFA), threat actors have been finding ways to get around what can be an effective defense against phishing attacks. In their latest move, those behind the Sneaky2FA phishing-as-a-service (PhaaS) kit have added browser-in-the-browser (BITB) functionality to help crooks design phishing pages that fool victims. This function allows the crook […]<\/p>\n","protected":false},"author":0,"featured_media":5890,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-5889","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5889"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5889"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5889\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/5890"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5889"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5889"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5889"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}