Reverse Proxy Phishing: The Sneaky New Attack Bypassing 2FA
As a Linux systems administrator and proxy server expert, I‘ve seen my fair share of phishing attacks over the years. But none have been as stealthy and dangerous as the rise of reverse proxy phishing – a sneaky new technique that can completely bypass two-factor authentication (2FA).
In this in-depth blog post, I‘ll share my perspective on how reverse proxy phishing works, analyze real-world incidents and statistics, compare it to other phishing methods, and provide tips for fellow IT and security professionals to detect and prevent these attacks.
How Reverse Proxy Phishing Works
To understand how reverse proxy phishing attacks are carried out, let‘s first look at what a reverse proxy server is and how it works normally. A reverse proxy server sits in front of one or more web servers and forwards client requests to those servers, acting as an intermediary.
Reverse proxies are commonly used for load balancing, caching, and adding an extra layer of security in front of web applications. Popular open source tools for running reverse proxy servers include:
- NGINX
- HAProxy
- Apache Traffic Server
- Varnish
In a reverse proxy phishing attack, the threat actor configures a malicious reverse proxy server to sit between the victim and the legitimate website they wish to impersonate, such as a social media login page, webmail portal, or cryptocurrency wallet interface.
When the target clicks on a phishing link (which often looks identical to a real link via URL padding), their traffic is routed through the attacker‘s reverse proxy. The reverse proxy fetches the content of the real site in real-time and presents it to the victim.
To the user, it appears they are interacting with the legitimate website as normal. However, behind the scenes the reverse proxy is intercepting and capturing all the data the victim submits, including their login credentials.
Since the victim is entering their information on what appears to be the authentic website, they are unlikely to be suspicious, especially if the site has an SSL certificate. And because the reverse proxy relays any 2FA prompts from the real site back to the user, these attacks can bypass 2FA as well.
The attacker simply harvests the victim‘s credentials and 2FA codes in real-time from their reverse proxy server logs. They can then log into the victim‘s real account and take over.
Reverse Proxy Phishing Statistics and Data
To get a sense of the prevalence and impact of reverse proxy phishing, let‘s look at some key statistics:
-
The Anti-Phishing Working Group (APWG) reported a record 316,747 phishing attacks in December 2021, double the number from early 2020. [1]
-
According to the FBI‘s Internet Crime Complaint Center (IC3), phishing was the top cyber crime category in 2021 with adjusted losses of over $44 million. [2]
-
A study by security firm Resecurity found over 2,000 reverse proxy phishing websites targeting major brands as of January 2022, a 40% increase from the previous year. [3]
-
In an analysis of 100,000 phishing sites, Akamai found 35% used SSL certificates to appear secure. Reverse proxy phishing was a common technique observed. [4]
Here is a data table comparing reverse proxy phishing to traditional phishing methods:
Phishing Method | Fake Site Used? | Can Bypass 2FA? | Difficulty to Detect |
---|---|---|---|
Traditional Phishing | Yes | No | Moderate |
Spear Phishing | Yes | No | Moderate |
SMS Phishing | Yes (via link) | No | Fairly Easy |
Reverse Proxy Phishing | No (real site used) | Yes | Very Difficult |
As we can see, reverse proxy phishing stands out for using the legitimate website instead of a fake one, being able to bypass 2FA, and being very challenging to detect compared to other methods. Let‘s explore why.
Why Reverse Proxy Phishing is So Hard to Detect
The main reason reverse proxy phishing attacks are so difficult to identify is that they leverage the authentic website rather than a spoofed phishing site.
With traditional phishing, attackers have to clone the look and feel of the targeted site, register a similar domain name, and host the fake site on their own infrastructure. Discrepancies in the URL, SSL certificate, or site content can tip off savvy users that something is amiss.
Security tools can also more easily detect traditional phishing sites based on URL reputation, domain age, content anomalies, and other factors. And since the phishing page is not the real login, 2FA systems are effective.
With reverse proxy phishing, however, none of those detection methods work:
- URL scanning fails because the URL is the real site
- SSL certificates appear valid because they are real
- Login page content is legitimate
- 2FA is bypassed due to relaying login process
Some newer detection techniques like browser heuristics and network traffic analysis can potentially catch reverse proxy phishing. However, these are still nascent and generate a lot of false positives.
The Modlishka Tool and Open Source Threat
The bar for launching reverse proxy phishing attacks was lowered substantially in 2019 with the release of a tool called Modlishka by Polish security researcher Piotr Duszyński.
Modlishka makes it point-and-click simple to configure a reverse proxy server for phishing popular sites like Gmail, Outlook, and Instagram. The open source tool handles API communication, 2FA token harvesting, and dynamic content replacement.
When I tested Modlishka in my lab, I was impressed by how easy it was to set up a campaign with minimal Linux command line knowledge. The tool worked flawlessly against a test Gmail account protected by 2FA.
While Modlishka is intended as a penetration testing utility to help organizations test their phishing defenses, it can be readily abused by real-world attackers. As an open source project, the code is available for anyone to modify and extend.
This is a pattern we see repeatedly in the Linux ecosystem – open source tools developed for legitimate research and testing purposes being exploited by threat actors. It underscores the dual-edged nature of open source in security.
Tips for Detecting Reverse Proxy Phishing
As a Linux sys admin, what practical steps can you take to detect reverse proxy phishing attacks targeting your organization? Here are some tips:
-
Monitor for traffic anomalies. Reverse proxy phishing attacks often generate suspicious traffic patterns as the malicious proxy fetches assets from the target site. Look for large spikes in requests, especially to login pages.
-
Analyze SSL/TLS certificates. While reverse proxy phishing sites have valid certs for the domains they are spoofing, they often exhibit anomalies like being issued by an unusual CA, having a very short validity period, or not matching the SNI hostname.
-
Inspect HTTP headers. The attacker‘s reverse proxy server may inject or remove certain HTTP headers that can be detected in web traffic. User agent strings may also not match typical values.
-
Deploy anti-phishing browser extensions. Tools like NetCraft use heuristics to identify suspicious URLs and domain squatting. Consider having users install these to flag potential reverse proxy shenanigans.
-
Use canary accounts and honeytokens. Create fake login accounts and monitor for unsanctioned access, which could indicate credentials were phished. Inject unique honeytoken values into pages to see if they are collected by phishing sites.
The Importance of User Education
While technical controls are important for combating reverse proxy phishing, educating end users is just as critical. Technical solutions will always have gaps, and attackers are continually evolving their techniques to evade detection.
Teaching users to spot phishing attempts, even subtle ones, is a powerful defense. Some key points to educate employees on include:
- Be very cautious about clicking links in emails, social media, and other messages. When in doubt, navigate to sites directly.
- Check URLs carefully, especially on login pages. Look for slight misspellings, unusual TLDs, or URLs that don‘t quite match the site‘s normal address.
- Never enter credentials or sensitive info on a site you reached via a link. When logging into an important account, always retype the site‘s URL or use a bookmark.
- If a login prompt appears when you‘re already logged in, or you repeatedly get prompted to log in, be suspicious. This could indicate a man-in-the-middle attack.
- Enable 2FA everywhere possible, preferably using a hardware security key supporting FIDO2/WebAuthn. This is currently the only phishing-resistant MFA method.
By combining user education with multi-layered phishing prevention and detection safeguards, we can make it much harder for reverse proxy phishing attacks to succeed.
Conclusion
Reverse proxy phishing is a serious and growing threat that even the most tech-savvy users and organizations can fall victim to. By leveraging legitimate websites and real-time content mirroring, these attacks are extraordinarily stealthy and can bypass 2FA in most cases.
Open source offensive security tools like Modlishka have lowered the barrier to entry for launching reverse proxy phishing campaigns. As more attackers leverage these frameworks, incidents will only increase.
While some detection techniques exist, they are still relatively immature and prone to false positives. Preventing reverse proxy phishing requires a multi-pronged approach spanning user education, browser-based heuristics, traffic inspection, and phishing-resistant MFA.
Ultimately, staying ahead of ever-evolving phishing attacks is an ongoing challenge that requires diligence from defenders and users alike. By understanding how techniques like reverse proxy phishing work, and sharing knowledge with peers, we can collectively improve our cyber resilience.
As always, stay vigilant out there and think before you click!