There have been recent observations of two new tools in the market – Muraen and NecroBrowser – that automate phishing attacks designed to bypass 2-Factor Authentication (2FA). This essentially means that 2FA is less safe than currently thought to be. At the moment, 2FA is in common use by many sites online ranging from blogs to financial institutions.
Multi-factor Authentication (MFA), of which 2FA is a subset of, helped to add an additional dimension of security to the traditional username and password model of authentication. The second verification code is typically sent to a location that only the user is able to access, such as an email inbox or mobile device.
What is Muraen and NecroBrowser?
Normally, phishing attacks make use of things that lull people into complacency such as fake login pages or custom domains similar to normally trusted ones. 2FA took away much of this danger since the fake sites could not trigger the second part of the authentication process. Without that portion, the usernames and passwords were of limited use to those using phishing attacks.
Muraena and NecroBrowser are tools that were developed to overcome this exact weakness in the phishing attack process. The automation of these tools now means that 2FA-targeting phishing attacks can now be automated, much like brute force and complex password attacks are. The end result; 2FA less safe.
According to ARN, the tools were created by researchers Michele Orru, a former core developer of the Browser Exploitation Framework Project (BeEF), and Giuseppe Trotta, a member of the Bettercap project. The objective was not to conduct phishing attacks per se, but to prove that 2FA isn’t as secure as it was once thought to be.
What to Do Now 2FA Less Safe?
While there has not yet been a solution as to how these tools can be guarded against, Rehan Bashir, Managing Security Consultant at Synopsys has commented that users should follow basic security practices when reading their emails or browsing the Internet.
“For example, be sensible when opening emails, do not click on shortened links in the emails or unsolicited text messages received on their phones, read emails twice to make a judgement if the content makes sense in the context of which the email is received, always browse using HTTPS etc”.
Bashir also recommends switching to a USB based 2FA system for tighter security as the new method has not yet been found to be able to exploit 2FA based on the Universal 2nd Factor (U2F) standard.
As per the 2018 Verizon Data Breach Incident Report (DBIR), 98% of the breaches occur due to Phishing. Which means that users are the weakest link when it comes to security. New techniques and methods will continue to evolves to exploit this weakest link. Users needed to be constantly educated on security.