Phishing as a service is big business.

Hacking as a service has become a major boon area for cybercriminals, and has vastly expanded the scope and range of malware and attacks against victims. Such tools, which are either freely available or purchased for a cost, allow people without much technical know-how to launch attacks against innocent victims, earning money and vital data along the way.

Among those toolkits are MITM (man in the middle) phishing toolkits, which aim to snoop on the information transferred through the two-factor authentication process and to crack open access to an account without the victim really knowing. They’ve become more popular as two-factor authentication has become more prevalent, with everyday people believing it offers more security for the services they use.

However, the hackers are able to listen in on the transfer of data using man in the middle attacks, where they simply wait for authentication cookies that are required in two-factor authentication to be transferred to a user and hoover up them as they pass through.

Man in the middle attacks

Man in the middle attacks work in the same way that reverse proxies do. People looking to authenticate their login using two-factor authentication are visiting a legitimate website, but the traffic from that site is patched through the man in the middle, meaning that a copy of the authentication cookie required to actually make the two-factor authentication work is also sent to the hackers, who are then able to use that information to prise open an account.

Three of the major toolkits popular with cybercriminals are adapted from those developed by security researchers.

The three are called Evilginx, Muraena, and Modlishka. An analysis by academics at Stony Brook University looked at where those three toolkits – and their adaptations – are seen.

The team of academics developed a tool, which they called PHOCA, that is able to detect if a phishing site uses a reverse proxy rather than its traditional method. The use of a reverse proxy is meant to be an indication that something is amiss, and that two-factor authentication is being bypassed.

1,200 sites use such methods

“We capture data on 1,220 MITM phishing websites over the course of a year,” the academics write. “We discover that MITM phishing toolkits occupy a blind spot in phishing blocklists, with only 43.7% of domains and 18.9% of IP addresses associated with MITM phishing toolkits present on blocklists, leaving unsuspecting users vulnerable to these attacks.”

While such phishing toolkits are in use around the world, most instances are located in North America and Europe, the researchers explain, based on analysing their data. They also persist online for a long time.

More than 40% of man in the middle phishing websites the team analysed remained online for more than one day, with approximately 15% remaining online for over 20 days.

“Due to the ubiquitous presence of online services in our lives, phishing campaigns remain a constant threat,” the academics write. “Users who fall victim to these attacks face serious financial and personal repercussions due to the sensitive nature of stolen information. Furthermore, brands targeted by these attacks see a deterioration in their reputation among their user base, who may view a phishing campaign as a sign of insecure systems.”

It’s therefore vital that users report such issues if they see them – and that the companies operating the services that are victims of such phishing attacks also work proactively to try and tackle the problem at source, so that their reputation is not sullied.