MFA Bypass – Stealing Cookies

Children's hand in the cookie jar grabbing a cookie

How Adversary-in-the-Middle attacks are undermining multi-factor authentication

According to Verizon’s authoritative Data Breach Investigation Report, 90% of data breaches start by stealing user credentials via a phishing or smishing attack. Once the attackers have gotten a username and password combination, they have unrestricted access to your account, be it email, online storage, CRM, ERP, or any online business application. This is a particular problem in today’s cloud computing era, when web access to business applications is the norm. So you no longer have to be connected to the corporate network to access these systems – an internet connection is enough.

Why Multi-factor Authentication is critical to cyberdefense

Security professionals are well aware of this reality and, for this reason, have promoted the adoption of multi-factor authentication (MFA). MFA addresses the risk of account compromise by ensuring that possession of a username/password combination alone is no longer enough to get access. Now the attacker must also be able to get hold of a second factor. This can take many forms: a one-time use code sent to a trusted device, a code generated by an authenticator app or security device or a biometric fingerprint.

Introducing MFA is not without challenges. Employees and customers need to be educated in the new process and often view the additional step or steps as an annoyance. Nonetheless, there has been real progress, and a variety of industry surveys suggest that today more than 50% of organizations have implemented MFA.

How cyber-criminals bypass MFA

But in the arms race that characterizes the battle between cybersecurity attackers and defenders, the bad guys have responded with new techniques which have been successful in breaching accounts protected with multi-factor authentication.

They have done this by combining phishing with a variety of methods. This includes re-directing one-time use passwords sent over SMS to a cloned SIM card (Sim Swapping)  or using mobile malware to capture authentication codes. But by far, the most dangerous technique for undermining the effectiveness of MFA is an attack which combines phishing with a method known as ‘Adversary-in-the-Middle” (AiTM for short). Rather than intercepting the one-time password this technique works by ‘listening-in’ on the login process and then stealing the authentication cookie generated when a user successfully logs in.

Traditionally a phishing attack steals credentials by presenting the account owner with a fake version of the login page of a legitimate service. As the example of a recent attack against Revolut users shows, such fake login pages can be extremely well crafted and difficult for even the vigilant to detect.


However, an attack like this is easily defeated when multi-factor authentication is required.  So how have the bad guys altered their tactics? What is an Adversary-in-the-Middle attack?

As in all phishing attacks, it starts with a malicious link delivered over email, sms or some other messaging platform. But instead of re-directing to a fake login page, the link sends the user to a server which transparently forwards the users’ request to the legitimate site. This  ‘reverse proxy’ simply sits in the middle and is invisible to the end user. Once the user successfully authenticates by entering their password and one-time use code, the attacker steals the authentication cookie. Once in possession of the cookie, the attacker can inject this into their browser and have unrestricted access to the compromised account without the need to provide a username, password, or second-factor code.


What about encryption?

Transport layer security is a fundamental building block of security on the web. It ensures that even when attackers can intercept communications, they have no way of decoding their contents.

However, encryption doesn’t protect against an AiTM attack. The user who falls for the lure and clicks on the malicious link believes they are requesting to connect to a legitimate site. An encrypted session is created between the user’s browser and the site to which it connects (so you’ll see the lock sign in your browser). But everything you enter, including username, password, and authentication code, is fully visible to the attacker as it is their website to which you are connected. The attacker then logs into the legitimate site (for example, on your behalf. You now have access to the service as expected, but so does the attacker who has, unknown to you, copied your authentication cookie. With the authentication cookie, the attacker is free to login into the compromised account for weeks, if not months, after the initial breach.

Evidence that the threat is growing

In recent months there have been multiple reports of successful breaches using the AitM technique. Microsoft recently reported on a large-scale phishing attack targeting over 10,000 organizations which successfully compromised business email accounts. To make matters worse potential attackers now have access to a range of toolkits, including Modlishka, Necrobrowser, Evilginx2, and Evilproxy, which are making it increasingly easy to launch this type of sophisticated attack.

Understanding in detail how these attacks are executed helps reinforce how devastating they can be and emphasizes how important it is to have protection in place to block phishing attacks over every channel: email, sms, WhatsApp, and all the communications channels your staff use today. Phishing protection is no longer solely about protecting your email service – it must encompass all of the delivery channels through which phishing links can be delivered.

Related Resources

Related Resources

Read the latest news on enterprise mobile security direct from the specialists.

Read the latest news on enterprise mobile security direct from the specialists.