As Security Improves, Hackers Adapt: The New Face of Two-Factor Authentication Attacks
La rédaction
3 min read
Long considered a nearly foolproof security barrier, two-factor authentication (2FA) is no longer an absolute safeguard against cyberattacks. A new technique developed by hackers now allows them to bypass this mechanism by hijacking session cookies through a fake login portal positioned between the user and the legitimate website.
2FA: Useful, but Vulnerable
Two-factor authentication adds an extra layer of security to online accounts: in addition to a password, users must confirm their login using a code sent via SMS, email, or an authentication app. This significantly complicates attackers’ efforts, even if login credentials are compromised.
However, cybercriminals have devised multiple ways to circumvent 2FA. Some intercept authentication codes using AI-powered bots, while others rely on screen pixel analysis techniques to capture sensitive data in real time.
Session Cookies: The Hackers’ New Target
A tool known as Evilginx is increasingly being used to carry out these attacks. According to researchers at Infoblox, Evilginx is an advanced open-source phishing framework specializing in adversary-in-the-middle attacks. In practice, it places itself between the victim and a legitimate website—whether a bank, social media platform, or financial service.
To launch the attack, hackers deploy Evilginx on a server and configure a fake domain. This domain acts as a proxy, forwarding all requests to the official website while intercepting login credentials and, crucially, session cookies.
A session cookie is a temporary file that allows a server to recognize an authenticated user during a browsing session. It is deleted when the user logs out, closes the browser, or when the server-side session expires.
How the Attack Works
The victim receives a malicious link via email, SMS, or social media. Believing it to be legitimate, they open the fake portal, which appears authentic and even displays an HTTPS padlock.
The user enters their username and password, which are instantly forwarded to the real website. The login succeeds normally, but the intermediary portal captures these credentials.
The legitimate site then requests the 2FA code. The victim enters the code, and the malicious portal relays it in real time.
At that moment, the hackers intercept the session cookie generated after authentication. Copied by Evilginx before being passed to the victim’s browser, this cookie allows attackers to access the account without a password or 2FA code.
Using the stolen cookie, hackers can read emails, modify security settings, carry out financial transactions, or extract sensitive data—until the cookie expires or is revoked.
An Invisible Attack
From the user’s perspective, nothing seems out of the ordinary. The experience mirrors a normal login on the real website. The breach is often discovered only after fraudulent transactions occur or account settings are altered. The entire intrusion relies on the invisible duplication of the session cookie.
How to Protect Yourself Against Evilginx and 2FA Bypass Attacks
To reduce the risk:
- Be cautious with unexpected links and always verify the sender and destination before clicking.
- Use phishing-resistant multi-factor authentication methods, such as physical security keys (e.g., YubiKey).
- Revoke all active sessions and log in again using your password and 2FA to generate new session cookies, rendering stolen cookies useless.
These simple steps can significantly reduce exposure to a sophisticated yet stealthy threat.
The Bottom Line
Two-factor authentication remains a critical tool for securing online accounts, but it is no longer infallible in the face of increasingly advanced attacks such as those leveraging Evilginx. Vigilance, strong security practices, and the adoption of phishing-resistant authentication methods are now essential. Protecting digital data is no longer just about passwords—it’s a strategic game where every click matters.
About The Author
