A new phishing attack called Astaroth has been spotted that bypasses two-factor authentication (2FA) through session hijacking and real-time credential interception. The attack exploits a man-in-the-middle mechanism to capture login credentials, tokens, and session cookies in real time, effectively rendering 2FA defenses ineffective.
The phishing kit was first advertised last month and is priced at $2,000 for six months of continuous updates. It uses a reverse proxy mechanism that allows attackers to intercept 2FA authentication tokens and session cookies rapidly, making it a highly effective attack method.
Unlike traditional phishing kits that capture only primary credentials, Astaroth dynamically intercepts all authentication data in real time, significantly raising the bar for conventional phishing methods and their inherent security measures. This is particularly concerning because most phishing attacks start with a link and a click, which can be easily avoided by following basic guidelines around not clicking links.
The attack works by mirroring the target domain’s appearance and functionality to relay traffic between the victim and the legitimate login page. The user agent and IP address are used to replicate the victim’s session environment, reducing detection risks during login. This means that even if a user uses 2FA, such as SMS codes or authenticator apps, the attacker can capture the entry of the token in real time.
The attack also steals session cookies from the browser, which can be used to replicate an authorized session on an attacker’s device. While updates are available to tackle this issue, it remains a significant problem.
To stay safe, users should avoid clicking links and use sign-in popups only through usual login methods. If necessary, navigate to a sign-in page through usual channels, rather than through a link unless it’s one that has been requested from a usual channel.
Source: https://www.forbes.com/sites/zakdoffman/2025/02/15/gmail-and-outlook-2fa-codes-hacked-do-not-use-sign-in