Med-Mastodon

John LeonardPhishing-as-a-service is an area that is increasing rapidly according to research by security vendor Barracuda Networks, which says it has detected a “massive spike” in PhaaS attacks in the first two months of this year.<a href="https://www.computing.co.uk/news/2025/security/massive-spike-in-phishing-as-a-service-attacks-in-2025-research" rel="nofollow noopener" translate="no" target="_blank">https://www.computing.co.uk/news/2025/security/massive-spike-in-phishing-as-a-service-attacks-in-2025-research</a><a href="https://mastodon.social/tags/phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#phishing</a> <a href="https://mastodon.social/tags/phaas" class="mention hashtag" rel="nofollow noopener" target="_blank">#phaas</a> <a href="https://mastodon.social/tags/tycoon2fa" class="mention hashtag" rel="nofollow noopener" target="_blank">#tycoon2fa</a> <a href="https://mastodon.social/tags/evilproxy" class="mention hashtag" rel="nofollow noopener" target="_blank">#evilproxy</a> <a href="https://mastodon.social/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#infosec</a> <a href="https://mastodon.social/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#cybersecurity</a> <a href="https://mastodon.social/tags/barracuda" class="mention hashtag" rel="nofollow noopener" target="_blank">#barracuda</a> <a href="https://mastodon.social/tags/technews" class="mention hashtag" rel="nofollow noopener" target="_blank">#technews</a>

Erik van Straten<a href="https://infosec.exchange/@patrickcmiller" class="u-url mention" rel="nofollow noopener" target="_blank">@patrickcmiller</a> : oops, from <a href="https://www.csoonline.com/article/3810936/us-takes-aim-at-healthcare-cybersecurity-with-proposed-hipaa-changes.html" rel="nofollow noopener" translate="no" target="_blank">https://www.csoonline.com/article/3810936/us-takes-aim-at-healthcare-cybersecurity-with-proposed-hipaa-changes.html</a>:"the rollout of multi-factor authentication as a defense against phishing"What part of <a href="https://infosec.exchange/tags/Evil" class="mention hashtag" rel="nofollow noopener" target="_blank">#Evil</a> <a href="https://infosec.exchange/tags/Proxy" class="mention hashtag" rel="nofollow noopener" target="_blank">#Proxy</a> do these people not understand?<a href="https://infosec.exchange/tags/EvilProxy" class="mention hashtag" rel="nofollow noopener" target="_blank">#EvilProxy</a> <a href="https://infosec.exchange/tags/PhaaS" class="mention hashtag" rel="nofollow noopener" target="_blank">#PhaaS</a> <a href="https://infosec.exchange/tags/EvilGinx2" class="mention hashtag" rel="nofollow noopener" target="_blank">#EvilGinx2</a> <a href="https://infosec.exchange/tags/Weak2FA" class="mention hashtag" rel="nofollow noopener" target="_blank">#Weak2FA</a> <a href="https://infosec.exchange/tags/WeakMFA" class="mention hashtag" rel="nofollow noopener" target="_blank">#WeakMFA</a> <a href="https://infosec.exchange/tags/2FA" class="mention hashtag" rel="nofollow noopener" target="_blank">#2FA</a> <a href="https://infosec.exchange/tags/MFA" class="mention hashtag" rel="nofollow noopener" target="_blank">#MFA</a> <a href="https://infosec.exchange/tags/Phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#Phishing</a> <a href="https://infosec.exchange/tags/TwoStepVerification" class="mention hashtag" rel="nofollow noopener" target="_blank">#TwoStepVerification</a> <a href="https://infosec.exchange/tags/FakeWebsite" class="mention hashtag" rel="nofollow noopener" target="_blank">#FakeWebsite</a> <a href="https://infosec.exchange/tags/AitM" class="mention hashtag" rel="nofollow noopener" target="_blank">#AitM</a> <a href="https://infosec.exchange/tags/MitM" class="mention hashtag" rel="nofollow noopener" target="_blank">#MitM</a>

Erik van Straten<a href="https://mastodon.nl/@jasper" class="u-url mention" rel="nofollow noopener" target="_blank">@jasper</a> : okay, ik heb geprofiteert van een "sponsored item" ;-)Maar met de stukjes die ik aanhaalde ben ik het volledig eens.Als ik dan zie dat de Radboud Universiteit nu MFA verplicht (voor eduVPN: <a href="https://www.ru.nl/over-ons/nieuws/veiliger-inloggen-bij-eduvpn" rel="nofollow noopener" translate="no" target="_blank">https://www.ru.nl/over-ons/nieuws/veiliger-inloggen-bij-eduvpn</a>) dan heb ik toch sterk mijn twijfels (SMS toestaan is helemaal opmerkelijk). Als ik het goed begrijp is eduVPN gebaseerd op OpenVPN, met als basis een sterke private key op jouw device. Als dat device gecompromitteerd is ben je meestal sowieso de Sjaak.MFA (of 2FA) is symptoombestrijding voor zwakke en/of hergebruikte wachtwoorden, en introduceert een berg nieuwe problemen (die de meeste voorstanders luidkeels verzwijgen).Mocht iemand toch een TOTP app willen gebruiken, blijf dan ver weg bij Authy (een privacy- en security-drama [1]). AEGIS is open source. Denk er wel om dat je zelf betrouwbare backups van de bijbehorende database (*) moet maken.(*) In die database zitten "shared secrets", per account een uniek soort "wachtwoord" dat zowel jouw app als de server met jouw account "kennen". De app "verhaspelt" dat geheim met de actuele datum en tijd, en kort het resultaat in tot een beperkt aantal cijfers; de server doet precies hetzelfde (de server doet dat meestal voor verschillende tijdstippen omtreeks het huidige, omdat klokken soms onvoldoende gelijk lopen).[1] <a href="https://security.nl/posting/796625" rel="nofollow noopener" translate="no" target="_blank">https://security.nl/posting/796625</a> en specifiek m.b.t. Authy: <a href="https://tweakers.net/nieuws/207532/#r_18549330" rel="nofollow noopener" translate="no" target="_blank">https://tweakers.net/nieuws/207532/#r_18549330</a> (sinds ik daar weg ben en geen ErikvanStraten meer heet, zijn al mijn reacties ooit op die site te herkennen aan "Anoniem: 1576590").<a href="https://infosec.exchange/tags/Authy" class="mention hashtag" rel="nofollow noopener" target="_blank">#Authy</a> <a href="https://infosec.exchange/tags/AEGIS" class="mention hashtag" rel="nofollow noopener" target="_blank">#AEGIS</a> <a href="https://infosec.exchange/tags/TOTP" class="mention hashtag" rel="nofollow noopener" target="_blank">#TOTP</a> <a href="https://infosec.exchange/tags/2FA" class="mention hashtag" rel="nofollow noopener" target="_blank">#2FA</a> <a href="https://infosec.exchange/tags/MFA" class="mention hashtag" rel="nofollow noopener" target="_blank">#MFA</a> <a href="https://infosec.exchange/tags/SMS" class="mention hashtag" rel="nofollow noopener" target="_blank">#SMS</a> <a href="https://infosec.exchange/tags/AitM" class="mention hashtag" rel="nofollow noopener" target="_blank">#AitM</a> <a href="https://infosec.exchange/tags/EvilGinx2" class="mention hashtag" rel="nofollow noopener" target="_blank">#EvilGinx2</a> <a href="https://infosec.exchange/tags/EvilProxy" class="mention hashtag" rel="nofollow noopener" target="_blank">#EvilProxy</a>

Erik van Straten<a href="https://infosec.exchange/@adamshostack" class="u-url mention" rel="nofollow noopener" target="_blank">@adamshostack</a> : not taking into account that I strongly advise against using weak MFA (because it it not phishing-resistant and comes with a lot of disadvantages "security experts" want nobody to know about):yes.See <a href="https://www.oasis.security/resources/blog/oasis-security-research-team-discovers-microsoft-azure-mfa-bypass" rel="nofollow noopener" translate="no" target="_blank">https://www.oasis.security/resources/blog/oasis-security-research-team-discovers-microsoft-azure-mfa-bypass</a> (yesterday). Source: <a href="https://infosec.exchange/@AAKL/113634744971043868" rel="nofollow noopener" translate="no" target="_blank">https://infosec.exchange/@AAKL/113634744971043868</a>In short (if I understand correctly) Microsoft's servers would accept codes in a time window for upto 3 minutes. This enabled the researchers to conduct a brute force attack.<a href="https://infosec.exchange/tags/WeakMFA" class="mention hashtag" rel="nofollow noopener" target="_blank">#WeakMFA</a> <a href="https://infosec.exchange/tags/Weak2FA" class="mention hashtag" rel="nofollow noopener" target="_blank">#Weak2FA</a> <a href="https://infosec.exchange/tags/TOTP" class="mention hashtag" rel="nofollow noopener" target="_blank">#TOTP</a> <a href="https://infosec.exchange/tags/SMS" class="mention hashtag" rel="nofollow noopener" target="_blank">#SMS</a> <a href="https://infosec.exchange/tags/Voice" class="mention hashtag" rel="nofollow noopener" target="_blank">#Voice</a> <a href="https://infosec.exchange/tags/MFA" class="mention hashtag" rel="nofollow noopener" target="_blank">#MFA</a> <a href="https://infosec.exchange/tags/2FA" class="mention hashtag" rel="nofollow noopener" target="_blank">#2FA</a> <a href="https://infosec.exchange/tags/AitM" class="mention hashtag" rel="nofollow noopener" target="_blank">#AitM</a> <a href="https://infosec.exchange/tags/MitM" class="mention hashtag" rel="nofollow noopener" target="_blank">#MitM</a> <a href="https://infosec.exchange/tags/EvilProxy" class="mention hashtag" rel="nofollow noopener" target="_blank">#EvilProxy</a> <a href="https://infosec.exchange/tags/Evilginx2" class="mention hashtag" rel="nofollow noopener" target="_blank">#Evilginx2</a>

Erik van Straten<a href="https://cyberplace.social/@GossiTheDog" class="u-url mention" rel="nofollow noopener" target="_blank">@GossiTheDog</a> : it's not the lack of MFA that is the problem.Problem 1) is that a SPOF (*) is permitted access to data of millions (either directly or indirectly). This risk includes compromise of client devices.2) Weak MFA (+) does not prevent these attacks, because the SPOF may be phished into entering their credentials in a third party page that imitates the intended Citrix Netscaler.Please do not promote a flawed fix for bad passwords (2019: <a href="https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/all-your-creds-are-belong-to-us/ba-p/855124" rel="nofollow noopener" translate="no" target="_blank">https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/all-your-creds-are-belong-to-us/ba-p/855124</a>).(*) Single Point Of Failure(+) SMS, Voice, TOTP, Number Matchting, Location<a href="https://infosec.exchange/tags/AllYourCredsAreBelongToUs" class="mention hashtag" rel="nofollow noopener" target="_blank">#AllYourCredsAreBelongToUs</a> <a href="https://infosec.exchange/tags/MFAHadFailed" class="mention hashtag" rel="nofollow noopener" target="_blank">#MFAHadFailed</a> <a href="https://infosec.exchange/tags/AlexWeinert" class="mention hashtag" rel="nofollow noopener" target="_blank">#AlexWeinert</a> <a href="https://infosec.exchange/tags/MFA" class="mention hashtag" rel="nofollow noopener" target="_blank">#MFA</a> <a href="https://infosec.exchange/tags/2FA" class="mention hashtag" rel="nofollow noopener" target="_blank">#2FA</a> <a href="https://infosec.exchange/tags/WeakMFA" class="mention hashtag" rel="nofollow noopener" target="_blank">#WeakMFA</a> <a href="https://infosec.exchange/tags/NumberMatching" class="mention hashtag" rel="nofollow noopener" target="_blank">#NumberMatching</a> <a href="https://infosec.exchange/tags/AlexWeinert" class="mention hashtag" rel="nofollow noopener" target="_blank">#AlexWeinert</a> <a href="https://infosec.exchange/tags/Weinert" class="mention hashtag" rel="nofollow noopener" target="_blank">#Weinert</a> <a href="https://infosec.exchange/tags/SMS" class="mention hashtag" rel="nofollow noopener" target="_blank">#SMS</a> <a href="https://infosec.exchange/tags/TOTP" class="mention hashtag" rel="nofollow noopener" target="_blank">#TOTP</a> <a href="https://infosec.exchange/tags/EvilGinx2" class="mention hashtag" rel="nofollow noopener" target="_blank">#EvilGinx2</a> <a href="https://infosec.exchange/tags/EvilProxy" class="mention hashtag" rel="nofollow noopener" target="_blank">#EvilProxy</a> <a href="https://infosec.exchange/tags/PhaaS" class="mention hashtag" rel="nofollow noopener" target="_blank">#PhaaS</a>

Erik van StratenHoe de Politiehack precies heeft plaatsgevonden, weet ik niet.Wel weet ik dat veel "experts"hun kop in het zand steken of mij zelfs voor gek verklaren als ik schrijf dat:1) Het opzet is dat mensen op internet nep niet van echt kunnen onderscheiden (<a href="https://security.nl/posting/859906/Speculatie_over_Politie-hack" rel="nofollow noopener" translate="no" target="_blank">https://security.nl/posting/859906/Speculatie_over_Politie-hack</a>), en dat daar *dringend* iets aan gedaan moet worden;2) Zij aanraden om zwakke MFA (<a href="https://security.nl/posting/859561/MFA-2FA_is_als_peniciline" rel="nofollow noopener" translate="no" target="_blank">https://security.nl/posting/859561/MFA-2FA_is_als_peniciline</a>) te gebruiken in plaats van een wachtwoordmanager die op domeinnamen checkt;3) Onder hen er *zelfs* zijn die stellen dat we, op *dit* internet, EDIW veilig zouden kunnen gebruiken (reactie op een posting van Ivo Jansch, één van de architecten van EDIW: <a href="https://tweakers.net/nieuws/204138/#r_18249704" rel="nofollow noopener" translate="no" target="_blank">https://tweakers.net/nieuws/204138/#r_18249704</a>). Welliswaar met de opmerking dat er alternatieven moeten blijven bestaan (die er nu ook niet meer zijn voor communicatie met de overheid of met uw bank).Zie ook <a href="https://www.security.nl/posting/827137/Kopie-ID-Kap-Ermee#posting833162" rel="nofollow noopener" translate="no" target="_blank">https://www.security.nl/posting/827137/Kopie-ID-Kap-Ermee#posting833162</a>, bovenaan die pagina en <a href="https://www.security.nl/posting/833217/Internet-toenemende_impersonatie" rel="nofollow noopener" translate="no" target="_blank">https://www.security.nl/posting/833217/Internet-toenemende_impersonatie</a>.<a href="https://infosec.exchange/tags/Politiehack" class="mention hashtag" rel="nofollow noopener" target="_blank">#Politiehack</a> <a href="https://infosec.exchange/tags/Politie" class="mention hashtag" rel="nofollow noopener" target="_blank">#Politie</a> <a href="https://infosec.exchange/tags/MFA" class="mention hashtag" rel="nofollow noopener" target="_blank">#MFA</a> <a href="https://infosec.exchange/tags/2FA" class="mention hashtag" rel="nofollow noopener" target="_blank">#2FA</a> <a href="https://infosec.exchange/tags/ZwakkeMFA" class="mention hashtag" rel="nofollow noopener" target="_blank">#ZwakkeMFA</a> <a href="https://infosec.exchange/tags/Zwakke2FA" class="mention hashtag" rel="nofollow noopener" target="_blank">#Zwakke2FA</a> <a href="https://infosec.exchange/tags/DV" class="mention hashtag" rel="nofollow noopener" target="_blank">#DV</a> <a href="https://infosec.exchange/tags/Certificaten" class="mention hashtag" rel="nofollow noopener" target="_blank">#Certificaten</a> <a href="https://infosec.exchange/tags/LetsEncrypt" class="mention hashtag" rel="nofollow noopener" target="_blank">#LetsEncrypt</a> <a href="https://infosec.exchange/tags/LetsAuthenticateTheWebsiteFirst" class="mention hashtag" rel="nofollow noopener" target="_blank">#LetsAuthenticateTheWebsiteFirst</a> <a href="https://infosec.exchange/tags/AitM" class="mention hashtag" rel="nofollow noopener" target="_blank">#AitM</a> <a href="https://infosec.exchange/tags/MitM" class="mention hashtag" rel="nofollow noopener" target="_blank">#MitM</a> <a href="https://infosec.exchange/tags/Phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#Phishing</a> <a href="https://infosec.exchange/tags/EvilProxy" class="mention hashtag" rel="nofollow noopener" target="_blank">#EvilProxy</a> <a href="https://infosec.exchange/tags/PhaaS" class="mention hashtag" rel="nofollow noopener" target="_blank">#PhaaS</a> <a href="https://infosec.exchange/tags/Evilginx2" class="mention hashtag" rel="nofollow noopener" target="_blank">#Evilginx2</a> <a href="https://infosec.exchange/tags/EDIW" class="mention hashtag" rel="nofollow noopener" target="_blank">#EDIW</a> <a href="https://infosec.exchange/tags/EUDIW" class="mention hashtag" rel="nofollow noopener" target="_blank">#EUDIW</a> <a href="https://infosec.exchange/tags/EC" class="mention hashtag" rel="nofollow noopener" target="_blank">#EC</a> <a href="https://infosec.exchange/tags/KopieID" class="mention hashtag" rel="nofollow noopener" target="_blank">#KopieID</a> <a href="https://infosec.exchange/tags/KopietjePaspoort" class="mention hashtag" rel="nofollow noopener" target="_blank">#KopietjePaspoort</a> <a href="https://infosec.exchange/tags/VideoIdent" class="mention hashtag" rel="nofollow noopener" target="_blank">#VideoIdent</a> (Bron van onderstaand plaatje: <a href="https://www.maxvandaag.nl/sessies/themas/media-cultuur/waarom-steken-we-ons-hoofd-in-het-zand-als-het-lastig-wordt/" rel="nofollow noopener" translate="no" target="_blank">https://www.maxvandaag.nl/sessies/themas/media-cultuur/waarom-steken-we-ons-hoofd-in-het-zand-als-het-lastig-wordt/</a>)

Erik van Straten<a href="https://xn--8r9a.com/@north" class="u-url mention" rel="nofollow noopener" target="_blank">@north</a> : SMS *is* 2FA, albeit weak.The problem with "something you know, are, or have" is that users are never told that it is essential that each factor used cannot be easily copied, stolen, guessed etc. or temporarily fall into the wrong hands (literally in this case).Another problem is that if you loose a factor, you may no longer have access to your account.So each factor must be strong, carefully kept secret and needs to be backupped. These are extreme requirements that nobody wants (you) to understand.P.S. both iPhones and Android phones can be configured to *not* show SMS texts (and most other possibly confidential information) on their screen when locked.P.P.S. Unlocked phones are vulnerable to Time Traveler TOTP attacks. An attacker with temporary access to an unlocked phone may change the system date/time to the future, read a TOTP code for a website, and restore correct system time. When the future arrives they can use your TOTP code at their leisure on their own device to log in to your account, and reuse it (within 30 sec.) if required to pwn your account.P.P.P.S. Weak 2FA/MFA does not prevent AitM (Attacker in the Middle) phishing attacks if the AitM uses Evilginx2 or some other "evil proxy" website.2019 "MFA had failed" (by Alex Weinert, Director of Identity Security at Microsoft) <a href="https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/all-your-creds-are-belong-to-us/ba-p/855124" rel="nofollow noopener" translate="no" target="_blank">https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/all-your-creds-are-belong-to-us/ba-p/855124</a><a href="https://infosec.exchange/@acut3hack" class="u-url mention" rel="nofollow noopener" target="_blank">@acut3hack</a> <a href="https://infosec.exchange/tags/2FA" class="mention hashtag" rel="nofollow noopener" target="_blank">#2FA</a> <a href="https://infosec.exchange/tags/MFA" class="mention hashtag" rel="nofollow noopener" target="_blank">#MFA</a> <a href="https://infosec.exchange/tags/SMS" class="mention hashtag" rel="nofollow noopener" target="_blank">#SMS</a> <a href="https://infosec.exchange/tags/TOTP" class="mention hashtag" rel="nofollow noopener" target="_blank">#TOTP</a> <a href="https://infosec.exchange/tags/WeakMFA" class="mention hashtag" rel="nofollow noopener" target="_blank">#WeakMFA</a> <a href="https://infosec.exchange/tags/Weak2FA" class="mention hashtag" rel="nofollow noopener" target="_blank">#Weak2FA</a> <a href="https://infosec.exchange/tags/AitM" class="mention hashtag" rel="nofollow noopener" target="_blank">#AitM</a> <a href="https://infosec.exchange/tags/MitM" class="mention hashtag" rel="nofollow noopener" target="_blank">#MitM</a> <a href="https://infosec.exchange/tags/EvilProxy" class="mention hashtag" rel="nofollow noopener" target="_blank">#EvilProxy</a> <a href="https://infosec.exchange/tags/Evilginx2" class="mention hashtag" rel="nofollow noopener" target="_blank">#Evilginx2</a> <a href="https://infosec.exchange/tags/TimeTravelerAttacks" class="mention hashtag" rel="nofollow noopener" target="_blank">#TimeTravelerAttacks</a> <a href="https://infosec.exchange/tags/TimeTravelAttacks" class="mention hashtag" rel="nofollow noopener" target="_blank">#TimeTravelAttacks</a> <a href="https://infosec.exchange/tags/PhaaS" class="mention hashtag" rel="nofollow noopener" target="_blank">#PhaaS</a>

Erik van StratenIn *2019*, Alex Weinert of Microsoft wrote in <a href="https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/all-your-creds-are-belong-to-us/ba-p/855124" rel="nofollow noopener" translate="no" target="_blank">https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/all-your-creds-are-belong-to-us/ba-p/855124</a>:«     MFA had failed.    [...]     All Authenticators Are Vulnerable     [...] »Today, as echoed in <a href="https://www.bleepingcomputer.com/news/microsoft/microsoft-enable-mfa-or-lose-access-to-admin-portals-in-october/" rel="nofollow noopener" translate="no" target="_blank">https://www.bleepingcomputer.com/news/microsoft/microsoft-enable-mfa-or-lose-access-to-admin-portals-in-october/</a>, Microsoft still insists that using weak MFA is a good idea.In <a href="https://azure.microsoft.com/en-us/blog/announcing-mandatory-multi-factor-authentication-for-azure-sign-in/" rel="nofollow noopener" translate="no" target="_blank">https://azure.microsoft.com/en-us/blog/announcing-mandatory-multi-factor-authentication-for-azure-sign-in/</a> Microsoft writes (on August 15):« As recent research [1] by Microsoft shows that multifactor authentication (MFA) can block more than 99.2% of account compromise attacks, making it one of the most effective security measures available, today’s announcement brings us all one step closer toward a more secure future. »From that same article, "solutions" with (nearly as weak as SMS) "Microsoft Authenticator" is at the TOP of their list:« Organizations have multiple ways to enable their users to utilize MFA through Microsoft Entra:• Microsoft Authenticator [...] • FIDO2 security keys [...] • Certificate-based authentication [...] • Passkeys [...] • Finally, and this is the least secure version of MFA, you can also use a SMS or voice approval [...] »From [1] (PDF) = <a href="https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RW166lD?culture=en-us" rel="nofollow noopener" translate="no" target="_blank">https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RW166lD?culture=en-us</a> , no date of the "investigation period" to be seen *anywhere*, and one of the authors being Alex Weinert, more extreme percentages (approved by Microsoft's marketing dept):« Our findings reveal that MFA implementation offers outstanding protection, with over 99.99% of MFA-enabled accounts remaining secure during the investigation period. Moreover, MFA reduces the risk of compromise by 99.22% across the entire population and by 98.56% in cases of leaked credentials. »Dear reader: please stop buying Microsoft BS that completely ignores PhaaS.To name a few examples:🚨 "Experts agree [*] that setting up two-factor authentication (2FA) İs one of the most powerful ways to protect your account from getting hacked. However, hackers like COLDRIVER and COLDWASTREL may try to trick you into entering your second factor; we have seen attackers successfully compromise a victim who had enabled 2FA." - (PDF) <a href="https://www.accessnow.org/wp-content/uploads/2024/08/Spearphishing-cases-in-Eastern-Europe-2022-2024-technical-brief.pdf" rel="nofollow noopener" translate="no" target="_blank">https://www.accessnow.org/wp-content/uploads/2024/08/Spearphishing-cases-in-Eastern-Europe-2022-2024-technical-brief.pdf</a>[*] Not me. My tip is here: <a href="https://infosec.exchange/@ErikvanStraten/112724966066248808" rel="nofollow noopener" translate="no" target="_blank">https://infosec.exchange/@ErikvanStraten/112724966066248808</a>🚨 EvilGinx2: "Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication" - <a href="https://github.com/kgretzky/evilginx2" rel="nofollow noopener" translate="no" target="_blank">https://github.com/kgretzky/evilginx2</a> (there are more, like Modlishka, Muraena, CredSniper, EvilProxy (Phaas), NakedPages etc.)🚨 Not even a fake website needed: <a href="https://www.bleepingcomputer.com/news/security/new-greatness-service-simplifies-microsoft-365-phishing-attacks/" rel="nofollow noopener" translate="no" target="_blank">https://www.bleepingcomputer.com/news/security/new-greatness-service-simplifies-microsoft-365-phishing-attacks/</a>🚨 From <a href="https://mrd0x.com/attacking-with-webview2-applications/" rel="nofollow noopener" translate="no" target="_blank">https://mrd0x.com/attacking-with-webview2-applications/</a>: « Bypass 2FA WebView2 also provides built-in functionality to extract cookies. This allows an attacker to extract cookies after the user authenticates into the legitimate website. This technique removes the need of having to spin up Evilginx2 or Modlishka but the obvious trade-off is that the user must execute the binary and authenticate. » In addition, from <a href="https://www.bleepingcomputer.com/news/security/clever-phishing-method-bypasses-mfa-using-microsoft-webview2-apps/" rel="nofollow noopener" translate="no" target="_blank">https://www.bleepingcomputer.com/news/security/clever-phishing-method-bypasses-mfa-using-microsoft-webview2-apps/</a>: « "Yubikeys can't save you because you're authenticating to the REAL website not a phishing website." mr.d0x » AND: « However, as mr.d0x admits and Microsoft pointed out in their response to our questions, this attack is a social engineering attack and requires a user to run a malicious executable. » Correct, but a local compromise does'nt protect you when you're using FIDO2 hardware keys or passkeys.🚨 From 2022: <a href="https://microsoft.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-financial-fraud/" rel="nofollow noopener" translate="no" target="_blank">https://microsoft.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-financial-fraud/</a>: « A large-scale phishing campaign that used adversary-in-the-middle (AiTM) phishing sites stole passwords, hijacked a user’s sign-in session, and skipped the authentication process even if the user had enabled multifactor authentication (MFA). »🚨 "Phishing with Cloudflare Workers: Transparent Phishing and HTML Smuggling" - <a href="https://www.netskope.com/blog/phishing-with-cloudflare-workers-transparent-phishing-and-html-smuggling" rel="nofollow noopener" translate="no" target="_blank">https://www.netskope.com/blog/phishing-with-cloudflare-workers-transparent-phishing-and-html-smuggling</a>🚨 "New EvilProxy Phishing Service Allowing Cybercriminals to Bypass 2-Factor Security" - <a href="https://thehackernews.com/2022/09/new-evilproxy-phishing-service-allowing.html" rel="nofollow noopener" translate="no" target="_blank">https://thehackernews.com/2022/09/new-evilproxy-phishing-service-allowing.html</a>🚨 From <a href="https://www.europol.europa.eu/media-press/newsroom/news/international-investigation-disrupts-phishing-service-platform-labhost" rel="nofollow noopener" translate="no" target="_blank">https://www.europol.europa.eu/media-press/newsroom/news/international-investigation-disrupts-phishing-service-platform-labhost</a>: « The investigation uncovered at least 40 000 phishing domains linked to LabHost, which had some 10 000 users worldwide. [...] LabRat was designed to capture two-factor authentication codes and credentials, allowing the criminals to bypass enhanced security measures. »🚨 "Security and Privacy Failures in Popular 2FA Apps" by Gilsenan et al. (USENIX 2023): <a href="https://www.usenix.org/conference/usenixsecurity23/presentation/gilsenan" rel="nofollow noopener" translate="no" target="_blank">https://www.usenix.org/conference/usenixsecurity23/presentation/gilsenan</a> The PDF can also be found here: <a href="https://github.com/blues-lab/totp-app-analysis-public" rel="nofollow noopener" translate="no" target="_blank">https://github.com/blues-lab/totp-app-analysis-public</a> (Aegis was one of the least problematic apps, and don't use Authy).This is what is wrong with weak MFA/2FA: You  o /|\  [device + browser] / \ | v [login.microsoftonline-aitm.com] | v [login.microsoftonline.com](no thanks to DV-certificates).<a href="https://infosec.exchange/tags/AitM" class="mention hashtag" rel="nofollow noopener" target="_blank">#AitM</a> <a href="https://infosec.exchange/tags/MitM" class="mention hashtag" rel="nofollow noopener" target="_blank">#MitM</a> <a href="https://infosec.exchange/tags/EvilProxy" class="mention hashtag" rel="nofollow noopener" target="_blank">#EvilProxy</a> <a href="https://infosec.exchange/tags/PhaaS" class="mention hashtag" rel="nofollow noopener" target="_blank">#PhaaS</a> <a href="https://infosec.exchange/tags/Authenticator" class="mention hashtag" rel="nofollow noopener" target="_blank">#Authenticator</a> <a href="https://infosec.exchange/tags/TOTP" class="mention hashtag" rel="nofollow noopener" target="_blank">#TOTP</a> <a href="https://infosec.exchange/tags/OTP" class="mention hashtag" rel="nofollow noopener" target="_blank">#OTP</a> <a href="https://infosec.exchange/tags/MicrosoftAuthenticator" class="mention hashtag" rel="nofollow noopener" target="_blank">#MicrosoftAuthenticator</a> <a href="https://infosec.exchange/tags/Authy" class="mention hashtag" rel="nofollow noopener" target="_blank">#Authy</a> <a href="https://infosec.exchange/tags/Aegis" class="mention hashtag" rel="nofollow noopener" target="_blank">#Aegis</a> <a href="https://infosec.exchange/tags/Phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#Phishing</a> <a href="https://infosec.exchange/tags/WebView" class="mention hashtag" rel="nofollow noopener" target="_blank">#WebView</a> <a href="https://infosec.exchange/tags/AitB" class="mention hashtag" rel="nofollow noopener" target="_blank">#AitB</a> <a href="https://infosec.exchange/tags/MitB" class="mention hashtag" rel="nofollow noopener" target="_blank">#MitB</a> <a href="https://infosec.exchange/tags/Impersonation" class="mention hashtag" rel="nofollow noopener" target="_blank">#Impersonation</a> <a href="https://infosec.exchange/tags/Authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#Authentication</a> <a href="https://infosec.exchange/tags/Trust" class="mention hashtag" rel="nofollow noopener" target="_blank">#Trust</a> <a href="https://infosec.exchange/tags/TrustWorthyNess" class="mention hashtag" rel="nofollow noopener" target="_blank">#TrustWorthyNess</a> <a href="https://infosec.exchange/tags/DV" class="mention hashtag" rel="nofollow noopener" target="_blank">#DV</a> <a href="https://infosec.exchange/tags/PasswordManager" class="mention hashtag" rel="nofollow noopener" target="_blank">#PasswordManager</a> <a href="https://infosec.exchange/tags/CheckDomainName" class="mention hashtag" rel="nofollow noopener" target="_blank">#CheckDomainName</a> <a href="https://infosec.exchange/tags/DomainNameCheck" class="mention hashtag" rel="nofollow noopener" target="_blank">#DomainNameCheck</a>

Erik van StratenDon't rely on 2FA!Instead use a trustworthy & secure pwmgr (password manager) that checks the domain name (like passkeys do implicitly) and, based on that, offers to autofill credentials.And: • Let the pwmgr generate random long unique passwords for each account;• Back up the pw db (database) after each change (and have multiple physical locations where those back ups are stored);• Know what to do when logging in to a website and your pwmgr comes up with *NOTHING* : don't search for credentials in de pw db for the website you were made to *believe* it is - it's fake.<<< The phishing page, for its part, urges the victim to sign in with Microsoft Outlook or Office 365 (now Microsoft 365) to view a purported PDF document. Should they follow through, fake sign-in pages hosted on Cloudflare Workers are used to harvest their credentials and multi-factor authentication (MFA) codes. >>> <a href="https://thehackernews.com/2024/05/new-tricks-in-phishing-playbook.html" rel="nofollow noopener" translate="no" target="_blank">https://thehackernews.com/2024/05/new-tricks-in-phishing-playbook.html</a><a href="https://infosec.exchange/@patrickcmiller" class="u-url mention" rel="nofollow noopener" target="_blank">@patrickcmiller</a> <a href="https://infosec.exchange/tags/2FA" class="mention hashtag" rel="nofollow noopener" target="_blank">#2FA</a> <a href="https://infosec.exchange/tags/MFA" class="mention hashtag" rel="nofollow noopener" target="_blank">#MFA</a> <a href="https://infosec.exchange/tags/2FAFail" class="mention hashtag" rel="nofollow noopener" target="_blank">#2FAFail</a> <a href="https://infosec.exchange/tags/MFAFail" class="mention hashtag" rel="nofollow noopener" target="_blank">#MFAFail</a> <a href="https://infosec.exchange/tags/EvilProxy" class="mention hashtag" rel="nofollow noopener" target="_blank">#EvilProxy</a> <a href="https://infosec.exchange/tags/PhaaS" class="mention hashtag" rel="nofollow noopener" target="_blank">#PhaaS</a> <a href="https://infosec.exchange/tags/Cloudflare" class="mention hashtag" rel="nofollow noopener" target="_blank">#Cloudflare</a> <a href="https://infosec.exchange/tags/CloudflareWorkers" class="mention hashtag" rel="nofollow noopener" target="_blank">#CloudflareWorkers</a> <a href="https://infosec.exchange/tags/CyberCrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#CyberCrime</a> <a href="https://infosec.exchange/tags/Phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#Phishing</a> <a href="https://infosec.exchange/tags/2FAPhishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#2FAPhishing</a> <a href="https://infosec.exchange/tags/MFAPhishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#MFAPhishing</a>

Erik van Straten2FA (MFA) beschermt *niet* tegen steeds meer phishingaanvallen:<<<Tycoon 2FA operates as an adversary-in-the-middle (AitM) phishing kit. Its primary function is to harvest Microsoft 365 and Gmail session cookies. >>> <a href="https://www.proofpoint.com/us/blog/email-and-cloud-threats/tycoon-2fa-phishing-kit-mfa-bypass" rel="nofollow noopener" translate="no" target="_blank">https://www.proofpoint.com/us/blog/email-and-cloud-threats/tycoon-2fa-phishing-kit-mfa-bypass</a>U kunt zichzelf hier prima tegen beschermen, zonder passkeys of software van bijvoorbeeld Proofpoint te gebruiken: zie <a href="https://security.nl/posting/841126" rel="nofollow noopener" translate="no" target="_blank">https://security.nl/posting/841126</a><a href="https://infosec.exchange/tags/2FA" class="mention hashtag" rel="nofollow noopener" target="_blank">#2FA</a> <a href="https://infosec.exchange/tags/MFA" class="mention hashtag" rel="nofollow noopener" target="_blank">#MFA</a> <a href="https://infosec.exchange/tags/AitM" class="mention hashtag" rel="nofollow noopener" target="_blank">#AitM</a> <a href="https://infosec.exchange/tags/AitM" class="mention hashtag" rel="nofollow noopener" target="_blank">#AitM</a> <a href="https://infosec.exchange/tags/Passkeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#Passkeys</a> <a href="https://infosec.exchange/tags/PasswordManager" class="mention hashtag" rel="nofollow noopener" target="_blank">#PasswordManager</a> <a href="https://infosec.exchange/tags/Passwords" class="mention hashtag" rel="nofollow noopener" target="_blank">#Passwords</a> <a href="https://infosec.exchange/tags/Phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#Phishing</a> <a href="https://infosec.exchange/tags/PhaaS" class="mention hashtag" rel="nofollow noopener" target="_blank">#PhaaS</a> <a href="https://infosec.exchange/tags/EvilProxy" class="mention hashtag" rel="nofollow noopener" target="_blank">#EvilProxy</a> <a href="https://infosec.exchange/tags/EvilGinx" class="mention hashtag" rel="nofollow noopener" target="_blank">#EvilGinx</a> <a href="https://infosec.exchange/tags/EvilGinx2" class="mention hashtag" rel="nofollow noopener" target="_blank">#EvilGinx2</a> <a href="https://infosec.exchange/tags/Tycoon" class="mention hashtag" rel="nofollow noopener" target="_blank">#Tycoon</a> <a href="https://infosec.exchange/tags/Proofpoint" class="mention hashtag" rel="nofollow noopener" target="_blank">#Proofpoint</a>

securityaffairs<a href="https://infosec.exchange/tags/EvilProxy" class="mention hashtag" rel="nofollow noopener" target="_blank">#EvilProxy</a> used in massive cloud account takeover scheme <a href="https://securityaffairs.com/149348/hacking/cloud-account-takeover-scheme-evilproxy.html" rel="nofollow noopener" translate="no" target="_blank">https://securityaffairs.com/149348/hacking/cloud-account-takeover-scheme-evilproxy.html</a> <a href="https://infosec.exchange/tags/securityaffairs" class="mention hashtag" rel="nofollow noopener" target="_blank">#securityaffairs</a> <a href="https://infosec.exchange/tags/hacking" class="mention hashtag" rel="nofollow noopener" target="_blank">#hacking</a> <a href="https://infosec.exchange/tags/phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#phishing</a>

Taylor ParizoFrom the <a href="https://infosec.exchange/tags/EvilProxy" class="mention hashtag" rel="nofollow noopener" target="_blank">#EvilProxy</a> Telegram channel: It appears they're using <a href="https://auth.acme-dns.io/" rel="nofollow noopener" target="_blank">https://auth.acme-dns.io/</a> as their way of generating subdomains. "Hi friends, we have problem with add new domains in system bcs 3party website is down (<a href="https://auth.acme-dns.io" rel="nofollow noopener" target="_blank">https://auth.acme-dns.io</a>) if some one has info what's wrong with it share pls. we are looking for tmp solution."As of now the site is still down. Returning 404. <a href="https://infosec.exchange/@DomainTools" class="u-url mention" rel="nofollow noopener" target="_blank">@DomainTools</a> shows a pDNS record from the acme resolved IP that uses the same subdomain pattern seen in EvilProxy phishing campaigns. <a href="https://infosec.exchange/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener" target="_blank">#ThreatIntel</a> <a href="https://infosec.exchange/tags/ThreatHunting" class="mention hashtag" rel="nofollow noopener" target="_blank">#ThreatHunting</a> <a href="https://infosec.exchange/tags/DNS" class="mention hashtag" rel="nofollow noopener" target="_blank">#DNS</a> <a href="https://infosec.exchange/tags/OSINT" class="mention hashtag" rel="nofollow noopener" target="_blank">#OSINT</a>

Recent searches

Search options

Administered by:

Server stats:

#evilproxy