By Staff Writer at LMG Security   /   Feb 22nd, 2022

New Phishing-as-a-Service Kits Bypass MFA – Here’s What to Do Next 

phishing as a service image The number of phishing attacks — the most common type of cybercrime — has exploded. Even worse, new attacks and phishing-as-a-service kits have recently surfaced with the ability to bypass multi-factor authentication (MFA). With MFA being one of the most effective means of stopping phishing, what does this mean for individuals and organizations? Let’s look at the current state of phishing attacks and what you can do to confront this evolving threat.

In the US alone, hundreds of thousands of companies and individuals are victimized every year. According to the latest FBI Internet Crime Complaint Center report, from 2019 to 2020, the number of phishing complaints soared from 114,702 to 241,342. A subsequent report from the Anti-Phishing Working Group (APWG) revealed that the activity reached a monthly record in Q3 2021 with attacks doubling since early 2020. This makes phishing by far the most frequently reported cybercrime.

Phishing is cheap, easy, and effective criminal activity that is likely to become even more dangerous with new, inexpensive phishing-as-a-service MFA bypass kits. In this article, we’ll unpack why the number of phishing exploits has grown, the augmented danger due to MFA-bypass, and how you can defend yourself from phishing attacks.

What is Phishing-as-a-Service?

Phishing is the most common way hackers steal your information and infect organizations with malware. Criminals send phishing emails and messages in an attempt to lure you to fake websites where they can capture sensitive data or trick you into downloading infected files.

Microsoft recently came across a phishing campaign that used over 300,000 newly created and unique subdomains in a single run. Their investigation exposed a large-scale phishing-as-a-service operation called BulletProofLink.

Today, just like any other software service, you can purchase phishing-as-a-service from underground providers. Like many SaaS brands, hackers offer services such as email templates, hosting, automation, and even a discount on your first order. Want to learn more? Just read the About Us page, subscribe to their newsletter, or check out some Vimeo tutorials. Today’s hacking groups are really ramping up their services for their nefarious customers!

By offering over 100 phishing templates that mimic well-known brands and services, BulletProofLink provides attacker groups with either one-off or monthly subscription-based phishing services. And like every successful ‘as-a-service’ brand, these operations generate a steady revenue stream due to high demand.

Dirt Cheap Phish Kits

Not sure you want a full phishing-as-a-service package? Why not try a phish kit for as little as $10? Or maybe you can even find one for free from a hacker that hacked a phish kit and posted it online for all the world to see.

A credential phishing kit enables even those with minimal technical skills to easily deploy an attack. The pre-packaged zip files contain all the code, graphics, and configuration required to generate convincing, but fake, emails and web pages. These easy to deploy, reusable phish kits enable a plethora of low-cost offerings. Spend a bit more, and you get an upgrade that includes email address lists, telephone numbers, and automated malware distribution software.

Who Are the Targets of Phishing Attacks?

Anyone and any organization that uses the Internet is a potential phishing-as-a-service target. It’s increasingly common to receive suspicious emails inviting you to visit a fake webpage. For example, it could be a copycat site that looks just like PayPal. From there, unsuspecting visitors share their login credentials with criminals.

Even the biggest names have been subject to phishing attacks. In one highly sophisticated scheme, scammers in Lithuania legally incorporated a company that mimicked Taiwan-based Quanta Computer, a legitimate business partner of Facebook and Google.

In the scam, conspirators sent phishing emails tweaked to look like genuine emails sent by actual Quanta employees. Fraudulent invoices were received by Facebook and Google who “regularly conducted multimillion-dollar transactions” with Quanta. Before the criminals were caught, more than $100 million had been paid to the fake company’s bank accounts over the course of two years.

Warning: New Phishing Attacks Can Bypass MFA 

Multi-factor authentication (MFA) is one way companies use to minimize phishing attack success rates. However, a recent analysis has revealed that MFA-bypass phishing kits are proliferating rapidly. These kits range from simple open-source readable code to highly advanced products that utilize various layers of obfuscation with built-in functionality for stealing credentials, MFA tokens, and other sensitive information.

MFA bypass phishing attacks started with consent phishing. This is when a criminal sends an email pretending to be a colleague or friend and sharing a file. When you click on the link, the email asks you to authorize Microsoft or another popular application to access your personal information. We’re all so desensitized to reading these disclaimers that appear on every app—and they ALL claim to need access to everything—most people just accept. The criminal then captures your consent token, and they happily access your account and try to move laterally. For some great screen shots and examples, read this article on consent phishing.

Why do these new MFA-bypass phishing kits escalate your risks? Phishing-as-a-service kits with MFA-bypass are relatively inexpensive and make it easy for people with limited technical skills to be successful cybercriminals. It quickly increases the number of bad actors that can bypass MFA security to steal information. How are new phishing MFA kits operating? These kits use transparent reverse proxies (TRPs) that enable attackers to insert themselves (man-in-the-middle attack style) into existing browser sessions. So, while the victim visits a legitimate business website, user activity is observed at all times. Lurking attackers can even steal session cookies, which can then be used later to gain access to targeted accounts without the need for a username, password, or MFA token.

Traditional phishing involves attackers creating imposter sites to trick victims into entering their credentials. But fake sites may not have the same look, feel, and navigability as the real thing. This can alert potential victims and scare them away. With TRPs, however, a legitimate site is used which enhances trust and boosts attack success rates—making these attacks even more worrisome.

How to Prevent Phishing Attacks

Technology is critical for effective cybersecurity. Still, the rise of low-cost phishing attacks and exploits that bypass MFA reveal that a holistic effort is required to remain secure. If you implement the following strategies, you can help prevent most, if not all, phishing attempts:

  • Carefully examine email sender addresses: Verify the sender by examining the “from” address closely. Even if the address checks out, read the content carefully as the sender account may have been hacked.
  • Beware of tempting subject lines: Hackers try to transmit a sense of urgency to get people to open emails, click on links, and download files. Beware of subject lines such as Urgent/Important, Attention: unusual account activity detected and Invoice Due – hackers frequently try to create a sense of urgency so you act quickly. Make sure you stop and think before you click.
  • Read carefully and keep your guard up: Do you notice a lot of spelling errors? Is the grammar off, or does the tone of the message seem odd? Is the sender making an unusual request? Are they saying not to tell anyone about the message? All of these are classic phishing giveaways.
  • Examine links carefully: Check out any link destination carefully. Beware especially of short links. Always try to verify the link destination before clicking. Try accessing the site directly if known or via verified search engine results.
  • When in doubt, confirm: If you have any concerns about a message or actions it asks you to take—especially requests for financial transactions or sensitive data sharing—verify the request using an alternate method of secure communication. If you get an email, verify it with a quick phone call. Even a fresh email might not be safe if the sender account was hacked.
  • Consider requiring IT authorization for third-party apps. For organizations that already have a structured app download process, one way to battle consent phishing is to enable the “administrator consent” workflows offered by some platforms. This enables IT to offer pre-approved lists of apps and vet new third-party app requests before users download them.

Anti-Phishing Training is Crucial to Combat MFA-Bypass Phishing

With new phishing-as-a-service MFA-bypass kits, stopping users from clicking is your best defense. While knowledge is power, practice makes perfect. Anyone can get caught off guard during a hectic workday. It takes practice to develop a keen eye for phishing clues. That’s why ongoing training is essential for robust anti-phishing security.

Why not get started now? Download our tip sheets and share them with your organization as valuable training resources below or contact us for pricing on monthly cybersecurity awareness training for your entire team.

How to Spot a Phishing Email – Detailed email analysis guide with helpful visuals.

How to Stop Phishing Attacks – Learn more about how to thwart this common type of attack.

About the Author

LMG Security Staff Writer