Man In The Middle Phishing Attacks That Can Bypass OTP – Arkose Labs

September, 15, 20224 min Read

Man In The Middle Phishing Attacks That Can Bypass OTP

According to the FBI Internet Crime Report 2021, phishing was the fastest growing type of internet crime from 2019 to 2021, and bad actors continue to evolve their phishing attack techniques. The latest phishing attack, EvilProxy, allows even inexperienced criminals to use reverse proxy and cookie-injection methods to provide a way around two factor authenticated (2FA) sessions on a large scale.

What is a phishing attack?

Phishing is the practice of attackers sending malicious emails meant to lead users to fall for a scam. Phishing attacks attempt to trick users into clicking on web links that will download malware or redirect to a malicious website with the intent of gathering private information such as login credentials, multifactor authentication (MFA) tokens, and financial information. 

Phishing emails and phony websites frequently appear to be from well-known people or organizations, such as the victim's bank, place of employment, or institution. Attackers try to gather sensitive data from these websites, such as payment information or usernames and passwords.

Source: FBI Internet Crime Report 2021
Source: FBI Internet Crime Report 2021

What is a phishing kit?

Phishing attack methods eventually evolved to using pre-packed phishing kits. Phishing kits contain all the infrastructure needed for a phishing campaign, including:

  • Automated tools
  • Scripts
  • Templates for creating fake emails and websites
  • A web server
  • Storage used to collect credentials

The attackers also register dozens of domains to avoid being detected by WAF-deny lists and spam filters.

The latest evolution of phishing kits is the Man-in-the-Middle (MITM) toolkit where toolkits act as malicious reverse proxy servers of online services, mirroring target website contents to users while extracting credentials like MFA tokens and session cookies in transit. The MITM phishing kits also automate the harvesting of two-factor authenticated (2FA) sessions.

Screencapture of a video where Kevin & Brett discuss EvilProxy
CEO & Founder Kevin Gosschalk and Chief Criminal Officer Brett Johnson discuss EvilProxy attacks.


Some of the most widely used MITM phishing toolkits are Evilginx and Modlishka. EvilProxy is the most recent and uses the same “reverse-proxy” approach to lure victims to phishing sites and then sniff out the traffic to extract credentials and MFA tokens. 


Caffeine is another phishing-as-a-service (PhaaS) platform that streamlines the process of carrying out phishing attacks. Caffeine's advanced phishing features include tools for customizing dynamic URL schemas to aid in dynamically generating pages with victim-specific information, first-stage campaign redirect pages, final lure pages, and IP blocking options for geo-blocking. Attackers register for an account that provides immediate access to the "Store," where they can find phishing campaign creation tools and an overview dashboard, and also purchase a subscription license.

Anatomy of a phishing attack

Visual image of the anatomy of a phishing attack

However, this approach breaks down when the site employs security measures that cannot be proxied, require user interaction, and are difficult to automate. The adaptive challenge response offered by Arkose Labs as part of the Arkose Protect™ solution is one such solution that cannot be automated by the MITM reverse proxies.

Phishing protection from Arkose Protect

Arkose Protect combines highly-transparent detection with targeted attack response to catch fraud early in the customer journey, without impacting good users. The solution is configured on the website's login and registration workflows prior to the MFA step. The login or the registration workflows can be completed provided the web server receives the token issued by the Arkose Platform on successful completion of the detection and adaptive challenge response process. 

Arkose Protect’s new phishing detection not only protects from man-in-the-middle attacks by requiring our token to be present, but also in some cases alert the end consumer about the phishing attack.

Phishing Attack without Arkose Protect

Diagram depicting a reverse proxy phishing attack without Arkose Protect

Phishing Attack With Arkose Protect

Diagram depicting a reverse proxy phishing attack with Arkose Protect


The unique position of the Arkose Protect solution in the website's login/registration workflow, combined with its advanced phishing detection and challenge capabilities, makes it a potent defense mechanism against reverse-proxy-based MITM phishing attacks.

About Arkose Labs

Arkose Labs is the global leader in bot management and online account protection, which is why the world’s leading companies choose to partner with the firm to beat the adversary. Its mission is to create an online environment where all consumers are protected from malicious activity. And its foundational technology ensures it accomplishes the mission. Its AI-based platform combines powerful risk assessments with dynamic attack response that significantly increases the adversary’s effort to attack, which ultimately undermines the ROI behind those attacks. When financially-motivated attackers cannot make enough money attacking a company, they move on to less protected targets. 

The company offers the world’s first and only $1 million credential stuffing warranty. Headquartered in San Mateo, CA with offices in Brisbane and Sydney, Australia, San Jose, Costa Rica, and London, UK, Arkose Labs debuted as the 83rd fastest-growing company in North America on the 2021 Deloitte Fast500 ranking.