As of 2021, 78% of people use MFA, compared to just 28% in 2017. That rapid increase was initially problematic for cybercriminals before they changed tactics and adapted.
Security researchers are warning of a new threat that’s only likely to become more severe as time goes on: Hackers who publish phishing kits are beginning to add multi-factor authentication bypassing capabilities to their software.
Phishing kits available for sale online range from “simple open-source kits with human-readable code and straightforward functionality to sophisticated kits utilizing numerous layers of obfuscation and built-in modules that allow for stealing usernames, passwords, MFA tokens, social security numbers, and credit card numbers. With MFA in the mix, fake pages are rendered useless: While an attacker may have a username and password, the second factor remains out of reach.
Now there is a new kind of kit that uses a transparent reverse proxy to act as a man-in-the-middle instead of recreating a page. By intercepting all the traffic between a victim and their destination server, these transparent proxy MitM attacks allow the user to carry on without ever knowing that their credentials and session cookie has been stolen. Three phish kits have emerged as the big players in the transparent reverse proxy MitM sphere, Modlishka, Muraena/Necrobrowser, and Evilginx2. All were created for legitimate purposes, like penetration testing.

What to do?
– Users should be cautious of clicking on links attempting to capture credentials.
– Beware of unsolicited texts using high-pressure tactics that introduce urgency.
-Beware of anything that forces you to log in to unrelated services.
– Always treat a message offering ‘something for nothing,’ such as winning money, as suspect.

What can you do when this happens to you?
– If you find your network has been compromised, imme diately shut down.
– Identify the breach and type of virus or malware present.
– Identify any data which might have been compromised or stolen and inform appropriate parties.
– Rebuild the network from a known clean backup

Sources: Brandon Vigliarolo in Security, Tech RepublicJan 27
Hackers have begun adapting to wider use of multi-factor authentication | TechRepublic