A team of researchers discovered thousands of phishing toolkits with the ability to intercept 2FA security codes and bypass the security. There are a couple of phishing techniques that hackers use to intercept 2FA verification processes.

Phishing toolkits and their rise

Man-in-the-Middle (MitM) phishing toolkits have become more popular in recent years. 
  • Researchers discovered over 1,200 such toolkits in use. The rising trend is apparently due to tech firms making 2FA as default security.
  • Attackers are using new tools to steal users’ authentication cookies, which are essentially files created in a web browser whenever a user logs into an account after the 2FA process. 
  • In most cases, the attackers used a type of infostealers to steal authentication cookie files from computers.
  • In another technique, hackers intercept the authentication cookies while they are in transit from the service provider to a user’s device, aka MitM. This does not rely on infecting a computer with malware.

Reports suggest that the attackers are gradually upgrading their old phishing toolkits with a variety of techniques.

Real-time phishing vs MitM

  • Real-time phishing is a case where an operator sits in front of a web panel when a user is interacting with a phishing site. When it’s time to enter 2FA codes, threat actors prompt the user for the actual 2FA code, via email, SMS, or authenticator app. 
  • Hackers collect the 2FA token and use it on the real site, establishing an indirect but legitimate connection between their system and the victim’s account. 
  • Real-time hacking is suitable for breaking into online banking sites as user login sessions tend to run out of time quickly and every re-authentication attempt requires another 2FA code.
  • But, it all changes when users are provided with more relaxed rules around user login sessions. MitM phishing attacks are suitable in these scenarios. 
  • Hackers use phishing kits to relay traffic between the phishing site, the victim, and the genuine service.

Moreover, it is bizarre to find out that most of these MitM phishing toolkits in use by attackers are based on tools, such as Evilginx, Modlishka, and Muraena, created by security researchers.


The use of phishing toolkits is getting more widespread and popular among cybercriminal groups. These toolkits are easy-to-use and most of them are available free of cost. However, vulnerable organizations can use a tool called PHOCA to identify a phishing site using a reverse proxy.

Cyware Publisher