- 5 easy ways to transfer photos from your Android device to your Windows PC
- How to get Google's new Pixel 9a for free
- Just installed iOS 18.4? Changing these 3 features made my iPhone much better to use
- 7 strategic insights business and IT leaders need for AI transformation in 2025
- The most underrated robot vacuum I've ever tested is now 60% off
MFA Bypass Kits Account For One Million Monthly Messages
Threat actors continued to evolve their tactics to sidestep user defenses in 2022, with multi-factor authentication (MFA) bypass kits accounting for millions of phishing messages, according to Proofpoint.
Off-the-shelf toolkits have helped to democratize phishing to the cybercrime masses for several years, but specialized tools dedicated to MFA bypass are a relatively new sight, Proofpoint said in its latest report, The Human Factor 2023.
Read more on MFA bypass: Phone Attacks and MFA Bypass Drive Phishing in 2022.
Proofpoint highlighted three popular toolkits – EvilProxy, Evilginx2 and NakedPages – as being particularly prolific in 2022.
EvilProxy is an advanced phishing-as-a-service platform, while Evilginx2 is a red team tool enabling reverse proxy attacks against MFA. NakedPages is an off-the-shelf phishing kit that also uses reverse proxy techniques.
“MFA is still an integral part of defense in depth, and activating it remains best practice,” said Proofpoint. “But the growth of these techniques should signal a loud note of caution: attackers will take everything if you let them – even your MFA tokens.”
Also on the rise are telephone-oriented attack delivery (TOAD) threats, which peaked at over 13 million per month in 2022, according to the report.
This novel threat typically begins with a phishing message – such as a fake invoice – which encourages the recipient to call a telephone helpline. Doing so will put them in direct contact not with a legitimate call center, but one run by a fraud gang.
Once on the phone, the victim may be tricked into installing malware or granting the call center operative access to their machine.
Proofpoint highlighted BazaCall as a particularly prolific early exponent of the TOAD threat, using lures like fake movie streaming sites and unannounced Justin Bieber tours to reel in victims. The group would typically try to trick the victim over the phone into downloading the now-defunct BazaLoader malware.
Proofpoint claimed that the sheer number of TOAD threats, detected in their millions on a monthly basis, indicate their adoption by a larger number of less sophisticated groups.
Elsewhere, Proofpoint detected a twelvefold increase in “conversational” scams including romance fraud, fake job ads and pig butchering crypto fraud – making it the fastest growing threat in the mobile space.
