Man-in-the-Middle Attacks
Assaf Reich
Intro
After we discussed OSINT, Phishing, and Spear-Phishing, Let’s try out a more involved attack vector and see how an open-source can be used to phish victims and steal their session credentials easily.
This is important in order to keep up to date with current attack tools and to learn how not to fall victim to them.
What is a Man-in-the-Middle Attack
MitM (Man-in-the-Middle) attacks are a type of cyberattack where the attacker plants itself between two network entities that communicate and exchange data. The attacker intercepts the data and manipulates it for their own benefit.
We can visualize this kind of attack by positioning the hacker between two people who want to communicate, we’ll call them Alice and Bob.
In this example, whenever Alice and Bob wish to communicate their messages will be intercepted by the hacker without them knowing anything.
An example of this attack method is an ARP spoofing attack, where the attacker sends forged ARP packets to each entity to impersonate the other. In the scenario above, the hacker would send the PC an ARP packet claiming to be the server, and send the server a packet claiming to be from the PC. After the hacker does this, every communication between the two would go through the attacker. There are many attacks that use this structure, such as DNS spoofing or email hijacking.
MFA Hijacking
One of the latest security features to be commonly integrated into our society is the practice of multi-factor authentication, that SMS message you get when you log in to your email from a new computer.
If you have this feature enabled, the devious cybercriminals who steal your password still won’t be able to log in to your account. In the eternal arms race of cyber warfare, attackers have developed several methods to bypass this practice, such as SIM swapping to intercept incoming SMS messages, or MFA fatigue, where they flood the user with MFA prompts until they confirm them (not incredibly clever, yet it works…). But the method we’ll discuss is quite simple, it just asks the user to enter their MFA code into a fake login screen that the attacker controls.
The difference between stealing passwords with a fake login screen and stealing MFA codes is that MFA codes generally have a short lifespan, once the MFA code is sent, it’s only valid for a few minutes. Therefore, it can’t just “sit” in the hacker’s DB until it’s sold on the dark web, the attacker must log in with the stolen creds to alter the login method or the confirmation SMS phone number.
Evilginx
Evilginx is a tool used for phishing with MitM capabilities. Evilginx intercepts credentials and steals users’ cookies. One of Evilginx’s greatest features is its ability to bypass multi-factor authentication. Most of us see MFA as unhackable, so it’s important to understand its faults.
To initiate the attack, the hacker sends a phishing link that leads to a phony login screen where the victim enters their credentials and their MFA code.
These fake login screens are called Phishlets and are fully customizable, so the attacker can set up a trap webpage pretending to be any number of legitimate websites, like Facebook, Google, or Microsoft.
Above, we can see a fake LinkedIn login screen I created using phishlet modules from ArchonLabs. If I distribute this link, someone might enter their Linkedin details and try to log in.
From the attacker’s side, we’ll get this message –
And now the attacker has my login credentials and my super-secret password.
If we set up a phishlet for an MFA enabled platform the login screen will lead to a secondary page that will ask for the MFA code as well, Which the attackers can use to login as me and manually keep the session cookies using a chrome extension or manually extracting them. With the session cookies saved, the hacker can login to my account whenever they please to simply reset my password to their liking.
How to avoid
First and foremost, a good old-fashioned keen eye can keep you safe from simple MitM attacks. In the example above, the URL is totally.legit.linkedin, which should be a pretty good indicator of its lack of authenticity. But even trickier domains like linkedln or linkeddin might not be detected so easily. This type of cyberattack is called typosquatting and relies on the user not paying attention.
Most browsers have a validity check for the site you’re entering, so it’s best to follow their recommendation and not continue into sites without a valid certificate.
Some sites have ‘geography checks’ that verify if your login is within a reasonable distance from your last one. This works—until the hacker uses a VPN and changes their location to your state.
Lastly, I’d recommend always enabling multi-factor authentication. It is a great defense mechanism that stumps hackers daily.
For active security checks, there are security products such as Cyvore.
Cyvore security protection.
Cyvore Security provides security checks on communication channels and can analyze and investigate links, domains, and behaviors. On top of that Cyvore also checks IP addresses against multiple databases, in order to validate them, helping eliminate impersonation attempts.
Simple tricks like typosquatting will be detected and the message that contains them will be flagged.
Going further, Cyvore can also check domain ownership to ensure the domain you’re venturing to is safe.
ending
Evilginx and other MitM tools are a common threat, and it’s important to learn how they work and how to detect them.
There are many cyberattack tools out in the wild being used every day, so staying informed is essential.
As always, I hope you enjoyed this article and that you learned something new!
Sources
Featured image by Freepik
https://github.com/ArchonLabs/evilginx2-phishlets
