Key Points:
- Adversary-in-the-middle (AiTM) phishing attacks are becoming an increasing security threat, despite the use of multi-factor authentication (MFA).
- AiTM attacks can bypass MFA by stealing One-time Passwords (OTPs) or session cookies, and are rapidly increasing in popularity.
- Organizations need to recognize the signs of AiTM attacks and be prepared to respond in real-time.
- Implementing Fast ID Online 2 (FIDO2) security keys can provide an additional layer of security, as they are almost immune to phishing attempts.
One of the most significant threats to business security is the rise of AiTM phishing attacks. Despite the introduction of MFA, which has traditionally been a critical defense strategy, AiTM attacks have found ways to circumvent these measures. By attacking other parts of the authentication chain, it is possible for AiTM to steal OTPs or session cookies, resulting in a compromised account.
This phishing technique is becoming increasingly popular among attackers aiming to bypass MFA measures. AiTM attacks work by automatically proxying a user’s credentials to the actual login page, providing the attacker with easy access to session cookies. In many instances, the attacker will also attempt to register an MFA device to maintain access after the session expires.
According to a study on the Expel customer base, the use of AiTM phishing has increased significantly, with session cookie theft accounting for 34% of alerts where a successful account compromise was identified. This represents a substantial increase from a rate of essentially 0% just one year previously. This underlines the need for businesses to recognize the signals of AiTM attacks and to respond rapidly.
Mitigating the risk of AiTM attacks requires more than just focus on prevention. Important damage control measures include detecting and responding to these attacks, resetting credentials, removing new MFA devices, and revoking sessions. Additionally, companies should monitor login attempts for any anomalies, such as logins from countries where the business has no presence, logins from non-compliant devices, or logins from untrusted IP spaces.
Although MFA remains a crucial defense against attacks, implementing FIDO2-based authentication can be an effective strategy to further enhance security. FIDO2 security keys utilize public key cryptography, preventing credentials from being used on phishing websites. Therefore, despite the challenges of implementing FIDO2, this should be prioritized, particularly for high-risk user roles and sensitive resources.
To effectively combat the increasing threat of AiTM attacks, organizations must take proactive, preventative action. This includes implementing FIDO2 authentication, improving detection capabilities with the help of phishing experts, and closely monitoring for suspicious logins.