What's Happening In Security #19

Mamba 2FA: A Phishing-as-a-Service Platform

In a world where SaaS products are everywhere, it’s no surprise that scammers want to get in on the lucrative revenue structure too. Mamba 2FA is a Phishing-as-a-Service (PaaS) platform which has been in service since at least May of this year when the cybersecurity company Sekoia, began tracking it.

What is it. The phishing kit’s primary target is users with Microsoft 365 accounts. The kit allows its users to not only send very convincing phishing emails, but it also aids in bypassing certain MFA methods.

This is a form of an Adversary-in-the-Middle (AitM) attack. A classic Man-in-the-Middle attack involves an attacker positioning themselves between two machines to eavesdrop or change messages, the AitM variant manipulates authentication protocols specifically.

The platform’s architecture involves a relay server which communicates with the phishing website. After a victim inputs their credentials they get sent to the malicious website which forwards it to the relay server. This server can then just input the these credentials into Microsoft’s real website.

While MFA is generally a powerful tool in stopping phishing attacks, not all MFA is built the same and this can be an issue for more advanced threats. In a situation like this AitM attack, you may receive an SMS OTP and input that on the platform which they can then relay to the Microsoft, effectively bypassing the MFA.

Phishing has been around for a long time. What’s the big deal about PaaS?

In a word, the problem is “accessibility”. Building and maintaining the infrastructure for these scams is no mean feat, but now anyone can find these services for sale on Telegram for just $250 per month. Two hundred and fifty dollars is all you need to access this cutting edge technology. These sorts of services likely mean advanced phishing campaigns will become far more common.

Following Pavel Durov’s (Telegram’s CEO) recent arrest in France, he pledged to be cooperate more with law enforcement to moderate illicit activities. It’ll be interesting to see whether he follows through.

Nerdy Details

• The HTML attachment doesn’t have much static content

• The file uses window.location.href to redirect user to the phishing website.

  • By base64 encoding the url, it makes it harder for security scanners to recognize the malicious url

    <script>
      window.location.href = atob("aHR0cHM6Ly...") + "#" + "[EMail]";
    </script>

• On loading a pretty barebones HTML page, they load the Socket.IO library and 1 of the 4 screen templates (one is shown above)

• Using the Socket.IO library, the page communicates with the relay server to send credentials to Microsoft Entra servers

• Since being discovered by Sekoia, Mamba 2FA’s devs have gotten even sneakier

  • If the website sees a bot (possibly a security scanner) is visiting the site, it won’t load the page and will return a 404 status

  • To make blocking the website’s IP addresses, they now use proxy servers between the relay and Microsoft’s servers

Thanks for taking the time to read this week’s deep dive into security. If it’s something you want to talk more about, feel free to reach out! If you know someone else you might like it, give it a share!

See you in the next one.