When you purchase through links on our site, we may earn an affiliate commission.Heres how it works.
Incybersecurity, defenders are often a victim of their own success.
When enough organizations adopt a successful solution, threat actors adapt.
Image Credit: Pixabay
And this is still true today.
Our annual State of the Threat Report highlighted a notable rise in AiTM attacks.
You could see this as a positive step, resulting from wider use of MFA.
But another driver for this growth is the ease and availability of access to the necessary software.
Director of Threat Intelligence in the Counter Threat Unit at Secureworks, a Sophos Company.
Increasingly we’re seeing these attacks take the form of AiTM phishing attacks.
But AiTM attacks level up on these phishing attacks, taking them a step further.
Luring victims to authenticate through this server, threat actors can steal the resulting access token.
In practice, it looks like this an individual will receive a phishing email that looks legitimate.
However, victims are taken to this website via a malicious reverse proxy server.
And this is where AiTM attacks really differ from traditional phishing.
In the case of AiTM, the malicious proxy server sees both the token and user credentials.
Popular kits include Evilginx3, EvilProxy and Tycoon 2FA.
However, AiTM enables the theft of authenticated session cookies.
These can be used directly in additional fraud and extortion including business email compromise, data theft extortion andransomware.
Preventing AiTM threats
Before anyone panics, this isnt a reason to get rid of MFA.
However, it’s important to have tools in place that are robust enough for changing threats.
Phishing-resistant MFA is built on standards like FIDO2 and goes deeper than traditional MFA.
The attack infrastructure is essentially transparent.
But there are strategies that can helpemployeesremain secure.
Encourage them to think about the initial interaction: Did they receive an email that prompted an urgent action?
If they are being asked to follow links and authenticate, they should question whether the context is normal.
If theres any doubt, they should feel empowered to raise it with the internal team.
Above all, encourage employees to always be cautious and curious.
We’ve featured the best authenticator app.
The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc.
