Intrusion testers and hackers from all around the world have recently been able to add a new dodgy method to their arsenal. This technique automates phishing attacks on two-factor authentication (2FA). Also, 2FAs are nowadays used on a lot of websites, and it is not easy to detect and block. This toolkit was presented last month at the “Hack in the Box” conference in Amsterdam and was released on GitHub a few days later. It is made of two components which are a transparent reverse-proxy called Muraena and a Docker container – called NecroBrowser – to automate Headless Chromium instances.

A tool for creating a phishing site in no time!

Muraena and NecroBrowser were designed to overcome these protections and automate most of the process of such a hack. It means that more attackers can now launch phishing attacks that can bypass 2FA protection on popular high risks websites. Michele Orru, former developer of the Browser Exploitation Framework Project (BeEF), and Giuseppe Trotta, member of the Bettercap project, created those tools.

Written with the Go programming language, Muraena can be compiled and executed on any platform where Go language is available. Once deployed, the attacker can configure his phishing domain and obtain a legitimate certificate for it, for example, by using the Let’s Encrypt Free certification authority. It contains a minimal web server that acts as a reverse-proxy and a crawler that automatically determines proxy resources from the legitimate website. The agent transparently rewrites the requests received from the victim before forwarding them. The crawler automatically creates a JSON configuration file. Pirates can then modify it to bypass various defenses on more complex websites. The package includes sample configuration files for Google, GitHub, and Dropbox.

A big problem but few solutions

Unfortunately, few technical solutions completely block such server-side phishing attacks. Muraena shows that techniques such as SRI and CSP have a limited effect and can be bypassed automatically. Besides, the tool indicates that 2FA is not a foolproof solution.

However, this type of proxy phishing cannot defeat some 2FA implementations such as those using USB hardware tokens with Universal 2nd Factor (U2F) support. It is because these USB tokens establish a cryptographically verified connection to the legitimate website through the browser, which does not pass through the attacker’s reverse-proxy. Also, solutions based on codes received by SMS or generated by mobile authentication applications are vulnerable, as victims have to enter them manually.

Vigilance is required

Another technical solution to check if the user enters his or her credentials on the right website. Google has developed such an extension for Chrome called Password Alert.

It alerts users if they try to open their Google credentials on a site that does not belong to Google.
Training users to be vigilant and ensure that they authenticate themselves on the right website with the right domain name remains very important. The presence of a TLS/SSL indicator and a valid certificate are not sufficient to consider a website legitimate.

Certificates can now be easily obtained free of charge so that most phishing sites will be HTTPS compliant.