If you have two-factor authentication (2FA) enabled on your account, you can’t be compromised, right?
Well, not exactly. As technology advances, so do the attackers. Phishing attacks have become more sophisticated and attackers are finding ways to bypass 2FA. The reason why is because of the delicious cookies stored in your browser. Session cookies are a way to show the server that the user has already authenticated. This includes passing the 2FA challenge. Your browser can use these cookie until it’s passed its sell-by date (Sorry). Once the cookie has expired, you will be asked to re-authenticate.
It depends on the application, but some may have stronger restrictions than others.
These include:
- A single use cookie.
- Restricted by IP, device or some sort of fingerprint.
- Linked to another element which validates the cookie (Anti-Spoofing).
This isn’t the case for all though and this is what attackers are exploiting. Services like Outlook, Gmail and social networking platforms all allow the cookie to be reused. The attacker just needs a way of extracting them.
To show you how it works, I’m going to be using a browser extension called EditThisCookie: http://www.editthiscookie.com/
You don’t need a fancy extension to be able to see and view your cookies. If you hit F12 in your browser (developer), you can see the cookies being used under Application > Storage.
The problem is, you don’t have an easy way to extract them. Sure, you can copy and paste but this is long winded and is prone to errors. This is where Cookie Editors make life easier. With EditThisCooke, we can simply export and import cookies into different browsers.
Using Outlook.com as an example. We first login to our account.
Once our password is entered, we approve the MFA prompt.
And now we are in. Below you can see that I’m using two browsers. On the left, I have logged into Outlook using Chrome. On the right, you can see that I’m not logged into Outlook and are using Firefox. Remember that cookies are browser specific.
With EditThisCookie, I can export my Outlook cookie from Chrome…
…and import them into Firefox. As you can see, I’m still not logged in.
Once imported, I hit the Outlook site again and I’m logged in. This is because Firefox used my imported cookie to prove that I have already authenticated.
Once imported, I hit the Outlook site again and I’m logged in. This is because Firefox used my imported cookie to show that I have already authenticated.
This was done on the same device however, this also works if I used another. If I exported the cookie on device 1 and imported them into device 2, I would get the same result (Application dependent).
This is basically what attackers are now exploiting. You may be thinking, how are they going to get access to my device though?
The answer is they are not trying to. Although I’m sure this could be achieved, it’s pretty low risk. An attacker could extract the cookie using some sort of script or Rubber Ducky but it’s unlikely. Instead, they are wanting you to come to them.
This is where EvilGinx2 comes into play: https://github.com/kgretzky/evilginx2
EvilGinx2 is a proxy/phishing tool which can extract your session cookie. It does this by creating a Phishing site and which tricks you into entering your credentials, including the 2FA challenge.
EvilGinx2 is a proxy/phishing tool which can extract your session cookie. It does this by creating a Phishing site and which tricks you into entering your credentials, including the 2FA challenge.
Once the user has been fooled, Evilginx saves the token, allowing the attacker to extract and import it into their browser of choice. This whole process defeats the 2FA prompts as the server read the cookie and assume the user has already been authenticated. As I mentioned above, some application has restriction on cookies. The benefit of Evilginx is that the source of the authentication will be the Evilginx server. Meaning, the attack could use a browser on the server itself and bypass any IP and device restrictions. Remember, the session cookie would record the source as the Evilginx server and not your client.
The develop created the video below to explain how it works.
So, what can you do to protect against this type of attack?
Well, the one flaw with this attack is that the DNS record will have to be convincing in order to trick todays users. The attacker will look to host Evilginx on a web server that is accessible to all. This will require the attacker to setup an external IP and DNS record. Because of this, they won’t be able to use any of Microsofts official domains. This goes for Google and any other site which has a Phishlet. Attackers will have to use techniques described in my past post: https://ctrlaltdel.blog/2019/07/11/how-the-phishers-phish/
The simplest way to fight this is by education. Now that attackers are using HTTPS to seem genuine, we will really need to be checking the URL before entering our credentials.
Hope this article helpful for you. Thank You
If You Appreciate What We Do Here On Hackonology, You Should Consider:
Hackonology is the fastest growing and most trusted community site where you can find lots of courses, articles about Technology/Hacking/Cracking. Millions of people visit Hackonology! to search or browse the thousands of published articles available FREELY to all.
Let's be a part of Hacker's Community! Join our Hacking Team
We Are Indian We Are Great
Marketing de teor é fenômeno da internet.
Greetings from Ohio! I’m bored to tears at work so I decided to check out your website
on my iphone during lunch break. I love the info you present here
and can’t wait to take a look when I get home. I’m surprised at how quick your blog loaded on my mobile ..
I’m not even using WIFI, just 3G .. Anyhow, awesome blog!
I’ve been browsing online more than 2 hours today, yet I never found any interesting article like yours.
It is pretty worth enough for me. In my opinion,
if all website owners and bloggers made good content as you did, the internet
will be much more useful than ever before. Hello just wanted to
give you a quick heads up. The words in your content seem to be running off the screen in Internet explorer.
I’m not sure if this is a formatting issue or something to
do with browser compatibility but I figured I’d post to let you know.
The layout look great though! Hope you get the issue fixed soon. Many thanks http://porsche.com
Vorschub leistet die Ideologie der Daten.
Fotos, die uns von den Teilnehmern gemailt bzw.
Appreciate the recommendation. Let me try it
out.
I absolutely love your website.. Pleasant colors & theme.
Did you make this amazing site yourself? Please reply back as I’m
trying to create my very own website and would like to learn where you got this from or
exactly what the theme is named. Appreciate it!
Thank you a lot for sharing this with all of us you really understand what you’re talking about!
Bookmarked. Kindly also talk over with my website =).
We will have a link change agreement between us
It’s very easy to find out any topic on web
as compared to books, as I found this paragraph
at this web site.
I have been browsing online more than three
hours today, yet I never found any interesting article like yours.
It’s pretty worth enough for me. In my view, if all website owners and bloggers made
good content as you did, the web will be a lot more useful
than ever before.
I hope that you won’t stop writing such interesting articles. I’m waiting for more of your content. It’s so good that i’m going follow you!
In fact nno matter if sօmeone doesn’t understand afterward iits uup
to ߋther users thɑt they will assist, so here itt occurs.
Іf you desire to improve үour know-how simply keep visіting this
web page and be updɑtеd with the hottest informɑtion posteԁ
here.
Heya i am fօr tthe first time here. I came across this board and
I find It really uѕeful & iit helрed me out much. I
hope tօ give sometһіng back and help otrhers like yoᥙ heⅼlped me.
I blog quite often and I genuinely appreciate your content.
The article has really peaked my interest. I’m going
to book mark your site and keep checking for new information about once a week.
I opted in for your RSS feed as well.
Pingback: Google
Hi to every single one, it’s truly a pleasant for me to pay a quick visit
this web site, it consists of precious Information.
I know this if off topic but I’m looking into starting my own weblog and was curious what all is required to get setup?
I’m assuming having a blog like yours would cost a pretty penny?
I’m not very web savvy so I’m not 100% sure.
Any tips or advice would be greatly appreciated. Kudos
Awesome Website!!
I love this and i bookmark it right now.
keep sharing blog like this.
Thanks
Wonderful goods from you, man. I’ve understand your stuff previous to and you are just
extremely magnificent. I actually like what you’ve acquired here, really like what you are stating and the way in which you say it.
You make it entertaining and you still care for
to keep it sensible. I can not wait to read much more from you.
This is really a great web site.
Pingback: Google
I loved as much as you will receive carried out right here.
The sketch is attractive, your authored material stylish.
nonetheless, you command get bought an impatience over that you wish be delivering
the following. unwell unquestionably come more formerly again since exactly the same nearly very often inside
case you shield this hike.
Right here is the right site for anyone who wishes to find out about this topic.
You know so much its almost tough to argue with you (not that I actually will need to…HaHa).
You certainly put a new spin on a subject that’s been written about for many
years. Excellent stuff, just wonderful!
I am genuinely glad to read this webpage posts which contains lots
of helpful information, thanks for providing these information.
Your means of telling all in this paragraph is genuinely good, every one can effortlessly
understand it, Thanks a lot.