Explainer: The Under-Appreciated Threat of Authentication-in-the-Middle Attacks

A relatively new form of cyberattack needs to be better appreciated, according to Telehealth.org’s Marlene Maheu.

Known as authentication-in-the-middle attacks, these cyber threats target multi-factor authentication (MFA) systems. The attacks are sophisticated phishing schemes in which attackers use tools like evilginx2, Modlishka, and EvilnoVNC to capture MFA codes. Despite the increased security that MFA provides, these tools allow scammers to bypass it by tricking users into entering their credentials on fake websites that mimic legitimate services such as Okta, Microsoft 365, and Google Workspace.

Authentication-in-the-middle attacks resemble traditional man-in-the-middle attacks. In these scenarios, a user is deceived into visiting a phishing site that looks like a legitimate one. When the user enters their login information, the attackers capture it and use it in real-time to log into the actual site. The user is then asked to complete the MFA step, during which the attackers intercept the MFA code or push notification, granting them full access to the user’s account. This enables scammers to alter account settings or steal sensitive information.

Maheu explains the process scammers use to exploit MFA. They lure victims to phishing sites through links in emails, social media messages, or sponsored search results. These links often appear legitimate, making it hard for users to distinguish them from real ones. When users enter their credentials on these fake sites, the attackers capture the information and use it to access the actual sites.

During the MFA process, the attackers intercept the entered code or push notification, allowing them to gain unauthorized access.

To protect against these attacks, Maheu suggests several strategies. Staying vigilant and skeptical of unsolicited links is crucial. Using reliable security software can block many phishing sites by identifying and blocking known phishing domains. Password managers can enhance security by auto-filling credentials only on legitimate sites, reducing the risk of entering information on a phishing site.

Perhaps most importantly, Maheu also recommends considering passkeys, which offer a more secure alternative to traditional MFA methods and cannot be intercepted in the same way. MFA that requires the use of biometrics can be particularly robust, given that hackers can’t easily mimic such tokens—but passkeys may also be a double-edge sword due to their support for PINs, which are less secure. A hacker needs only to enter the right PIN in order to re-register the biometric template on a given device.

In any case, Maheu points to a little-understood cyberthreat that could become more pronounced as hackers leverage ever more sophisticated tools in their phishing schemes. Read her full argument at Telehealth.org.

–

May 22, 2024 – by Cass Kennedy