• //
    • //
    • //
  • Next-level phishing

    • Next-level phishing

    May 26, 2025

    Cybercriminals finding new ways around multi-factor authentication (MFA)

    Phishing attacks — where scammers try to trick you into giving up your login information — have been around for decades. To fight back, many businesses added Multi-Factor Authentication (MFA). That’s the extra step you take when logging in, such as entering a code sent to your phone.

    But now, hackers are getting smarter.

     

    The MFA workaround

    Hackers are using a trick called Adversary-in-the-Middle (AiTM) attacks. They build fake websites that look exactly like the real ones — even using the real login pages.

    When you enter your username, password, and MFA code, the scam site grabs all the information and sends it to the real site. The real site thinks it’s you logging in.

    Then, the hacker grabs the session cookie — basically, the key to your account — and logs in as you.

    This gives the criminal control of your session without needing your MFA code again.

     

    Toolkits intercept MFA codes

    Cybercriminals no longer need to be tech geniuses. They can now buy or rent special toolkits online to pull off these scams.

    Toolkits are ready-made software packages that do the hard work. They make fake websites look real, steal usernames, passwords and MFA login cookies, and help hide the phishing site from security tools.

    Some of the most popular kits act like a middleman between the user and the real site, silently collecting information while everything appears normal.

    This trend is known as Phishing-as-a-Service (PhaaS). Think of it as hackers selling or renting “hacking starter kits” to anyone who wants to launch an attack.

     

    More secure way to log in

    A better and safer login method called WebAuthn is gaining traction.

    Instead of passwords, it uses secure keys tied to your device.

    Even if a scammer sets up a fake website, WebAuthn won’t let them log in — because the keys won’t match the real website.

    The login fails and your account stays safe.

    Unfortunately, not many companies use WebAuthn yet, but experts say it’s time to reconsider.

     

    What you can do

    • Stay alert: Always double-check website addresses before logging in.
    • Use modern MFA tools: Push notifications and hardware keys are safer than SMS (text) codes.
    • Talk to your IT team: Ask if your organization can adopt WebAuthn or other passwordless options.
    • Watch for signs of phishing: If something feels off, don’t click.

    Cybercriminals are evolving. But so are the tools to stop them. The key is staying informed and using the best security options available.

     

    Source: Cisco Talos Intelligence