This article is more than 1 year old

Phishing kits' use of man-in-the-middle reverse proxies is growing, warns Proofpoint

Spoof site looks real because it is... but you're not talking to who you think

In the beginning we had passwords. Their hackability made a lot of people very angry and passwords were widely regarded as a bad move. Then we had two-factor authentication – and now Proofpoint reckons criminals online are able to start bypassing them with transparent reverse proxies.

Phishing kits, readymade deployables used by crooks to steal victims' login details, are increasingly capable of bypassing multi-factor authentication (MFA), the company warned today.

In a blog post Proofpoint said it sees "numerous MFA phishing kits ranging from simple open-source kits with human readable code and no-frills functionality to sophisticated kits utilizing numerous layers of obfuscation and built-in modules that allow for stealing usernames, passwords, MFA tokens, social security numbers and credit card numbers."

Naming three particular MFA-bypassing phishing kits (Modlishka, Muraena/NecroBrowser, and Evilginx), Proofpoint said they tend to be deployed through crafted phishing domains; sites falsely posing as genuine sites that victims want to log into. These are typically bank websites, email or storage providers, and so on – anything that's going to yield exploitable information valuable to criminals.

The reverse proxy concept is simple: fool users into visiting a phishing page, use the reverse proxy to fetch all the legitimate content the user expects including login pages, and sniff their traffic as it passes through the proxy. This way criminals can harvest valid session cookies and bypass the need to authenticate with username, password and 2FA token.

Proofpoint said it deployed an in-house machine learning tool it called Phoca and learnt that over 1,200 phishing sites it scanned were deploying reverse proxies to fetch genuine websites' content, passing off the fake site as the real deal.

"Of those 1200+ sites only 43.7 per cent of domains and 18.9 per cent of IP addresses appeared on popular blocklists like VirusTotal," said the firm.

Reverse proxy phishing kits are an evolution, so Proofpoint said, of the age-old man-in-the-middle (MITM) concept. In normal usage a reverse proxy sits in front of a server or group of servers and directs traffic intended for those, which we explained a few years back while discussing the yet-to-occur death of IPv4. One use of a reverse proxy might be a load balancer. They're sometimes called "transparent" because to the user wanting to access the servers behind the proxy, the traffic all comes from the same public IP address. ®


With apologies to the late, great Douglas Adams for the top paragraph.

More about

More about

More about


Send us news

Other stories you might like