15.05.2025 22:14:00
Дата публикации
Multi-factor authentication (MFA), once considered a strong safeguard, is becoming increasingly vulnerable to a new type of attack—adversary-in-the-middle phishing. Hackers have learned to bypass OTP codes and push notifications using ready-made tools.
Cisco Talos experts warn that the darknet now offers a full market of services like EvilProxy, Rockstar 2FA, and Mamba 2FA. These tools provide phishing-as-a-service, allowing even beginners to set up fake login pages and proxy servers to intercept logins and MFA codes.
A typical attack scenario: the victim receives a link to a fake page disguised as, say, Google. They enter their credentials, which are intercepted by a proxy and passed to the real site to trigger an MFA request.
Then the proxy sends the real MFA code back to the user—who, believing they're on a legitimate site, enters it. The attacker then gains full access, despite MFA being enabled.
Push notifications also fail: users often click “approve” as they normally would. This makes traditional MFA methods as vulnerable as passwords.
Proxy-based attacks are on the rise. In 2022, one hacker group stole 10,000 credentials from 137 companies, including Twilio. Only Cloudflare was protected—thanks to a more secure method: WebAuthn.
WebAuthn, unlike OTP or push codes, uses cryptographic binding to the URL and the device. Even a perfect clone of a site can't pass authentication if the URL differs by a single character.
It also requires a physical key—such as a phone, laptop, or USB token. Attempts to use WebAuthn via proxy simply won’t work due to lack of access to the key.
A successful attack risks more than just account access—personal data like addresses, banking info, and communications may also be compromised.
As phishing evolves and SMS/push MFA becomes outdated, experts recommend switching to WebAuthn. It remains the most reliable protection—against both fraudsters and their increasingly clever proxies.
(text translation is done automatically)
