Phishing kits are collections of automated tools, scripts, and website templates that allow cybercriminals to create fake websites and launch credential-stealing attacks. However, when victims use MFA, the success of these tools can be quite low because the attackers can’t guess what type of MFA an account has enabled. Is it a code generated by a mobile app? Is it a code sent via SMS? Is it a push notification sent to their mobile device that they must tap on? Websites can offer multiple MFA options and it’s up to users and companies to configure them.
But when combined with voice calling, also known as voice phishing or vishing, these attacks become much more powerful, because the attacker can test the user’s credentials in real-time on the legitimate site, see what MFA type they get prompted for, and modify their phishing page in real-time.
“This real-time session orchestration provides a new level of control and visibility to the social engineer,” Okta researchers said. “If presented a push notification (type of MFA challenge), for example, an attacker can verbally tell the user to expect a push notification, and select an option from their C2 panel that directs their target’s browser to a new page that displays a message implying that that a push message has been sent, lending plausibility to what would ordinarily be a suspicious request for the user to accept a challenge the user didn’t initiate.”
