AitM Phishing Attacks Can Break Passkeys. How?

Fiza Nadeem

November 29, 2024

5

MIN READ

Despite the increasing use of passkey technology by major tech companies, many online platforms remain vulnerable to Adversary-in-the-Middle (AitM) phishing attacks. Hackers favor AitM attacks because they’re cost-effective and successfully trick users into sharing sensitive information.

‍

Insecure backup applications without strong encryption or proper verification can introduce vulnerabilities, especially if they are prone to social engineering or AitM tactics.

What Is an AiTM Phishing Attack?

“An Adversary-In-The-Middle (AiTM) phishing attack intercepts and steals session cookies to gain unauthorized access to an account. During this attack, a hacker positions themselves between the user and the legitimate site, and captures authentication cookies that grant access to the site even if MFA is enabled.”

‍

These attacks can break security measures like Multi-Factor Authentication (MFA) and Two-Factor Authentication (2FA) that ask for an extra verification step from another source.

‍

The term adversary-in-the-middle is recognized in the MITRE ATT&CK® framework. Unlike traditional phishing attacks, AitM phishing doesn't need a specially crafted phishing website; instead, requests are rerouted through the legitimate site.

‍

For Example, In July 2022, Microsoft identified a phishing attack that exploited weaknesses in multi-factor authentication (MFA) to access users' email accounts. The attackers used an adversary-in-the-middle attack to steal session cookies and gain unauthorized entry to the victims' mailboxes. Subsequently, they carried out Business Email Compromise (BEC) attacks.

How Do AitM Toolkits Work?

Let's discuss the two main methods for carrying out AitM phishing:

‍

Classic AitM- involves reverse web proxies.
Browser-in-the-Middle (BitM) techniques.

‍

Reverse Web Proxy Technique

‍

A common way for an attacker to breach security is by using a method where, when a victim accesses a harmful website, their browser communicates with the real website through the malicious site. The site then relays this communication to the genuine site, gets the response, and sends it back to the victim.

‍

BitM Technique

‍

This method deceives a target into remotely controlling the attacker's browser using desktop screen-sharing tools like VNC and RDP. As a result, the attacker can access not only the username and password but also other related secrets and tokens linked to the login credentials.

‍

In this case, the victim is not using a fake website or proxy. Instead, they are unknowingly accessing the attacker's browser to log in to the real application. This approach is like an attacker controlling their browser and tricking the victim into entering login details directly into it.

‍

This technique is implemented using the open-source project noVNC, a JavaScript-based VNC client that enables VNC usage in the browser. An example of an offensive tool that utilizes this technique is EvilnoVNC. It creates Docker instances of VNC and provides access to them, while also recording keystrokes and cookies to aid in compromising accounts.

Passkey Vulnerabilities in AitM Phishing Attacks

Hackers exploit weaknesses in fallback authentication methods by bypassing passkeys, often by manipulating users into using less secure options during the login process. This leads users to use less secure authentication methods.

‍

Even though passkeys are a secure alternative to passwords, session hijacking techniques like AitM attacks can still compromise accounts if session tokens are intercepted. This highlights the need to implement second-factor authentication properly and eliminate less secure options to prevent phishing attacks carried out through Adversary-in-the-Middle (AitM) tactics.

‍

While passkeys increase security by reducing password reliance, AitM attacks can still compromise session cookies, which may allow unauthorized access if other mitigations like continuous authentication and token expiration policies are not in place.

‍

Illustration of an AitM Phishing Attack

‍

‍

While Microsoft's Entra ID offers some level of protection for businesses with Conditional Access policies, user accounts in the consumer sector often don't have strong security measures. This lack of security can be problematic when recovering accounts if a device malfunctions or loses a passkey. Additionally, while password managers can assist in managing passwords to some extent, they also introduce a new layer of security reliance.

‍

Current backup verification methods, such as document verification or weak secondary authentication, may pose risks if not secured properly against phishing and AitM vulnerabilities.

‍

The Role of Phishing Toolkits in Credential Theft

‍

The development and sale of advanced phishing toolkits highlight the growing threat of identity-based cyberattacks. Data supports this observation:

‍

Around 80% of current cyberattacks involve stolen identities or compromised credentials.
79% of web application breaches stemming from credential theft.
In 2023, 75% of attacks bypassed malware entirely, and attacks targeting cloud resources rose by 110%.

‍

High Profile Breaches in Identity-Based Attacks

‍

Recent high-profile breaches highlight the paying opportunities for cyber attackers who exploit employee identities to gain unauthorized access to online business tools. The Snowflake attacks, considered one of the most renowned breaches in history, are a major example of this alarming trend.

‍

Increased Risk in SSO and Identity Platforms

‍

Attackers can now cause more harm with less effort than in the past. For instance, targeting an app like Snowflake for data theft requires a shorter process than older network attacks.

‍

SSO platforms can swiftly spread identity compromises across various applications and accounts. Identity attacks, especially AitM phishing, require precise defenses, as any delay in detection can lead to rapid compromise across accounts.