The Muraena reverse proxy combines with a Docker-based tool called Necrobrowser for automating headless Chromium instances. Using Muraena, which is written in Go, attackers can configure their domain for a legitimate Let’s Encrypt certificate. A web works as a reverse proxy and pulls regular 2FA resources from a legitimate site. The end result is that a user can visit a phishing site with a real certificate and enter their 2FA code with no warnings. The site will then save the session cookie and can pass it onto Necrobrowser, which can open thousands of Chromium instances to perform tasks like logging in and screenshotting emails, performing password resets or setting up mail forwarding. The Necrobrowser instances can even be used to phish social media contacts.
Old Techniques, New Usability
In general, the concept here is the same attackers have been using for many years. However, the efforts of Bettercap’s Giuseppe Trotta and BeEF’s Michele Orru to create Muraena and Necrobrowser mean you don’t need advanced technical knowledge. They should also better prevent browsers from detecting the attacks. Many users believe they could spot a phishing attack if they saw it, but these tools show that they can be extremely convincing. 2FA clearly isn’t a catch-all for security, though USB hardware tokens can help a lot in that regard. Without specialized hardware, users can protect their Google account with Password Alert, which detects fake Gmail login pages and tells users if they’ve entered their details on a non-official site.