Why SMS Codes Are the New ‘12345’: How Your Two-Factor Authentication Is Just Pretending to Protect You

Despite the widespread adoption of multi-factor authentication (MFA), cybercriminals have learned to bypass it using increasingly sophisticated methods. One of the most effective is the Adversary-in-the-Middle (AiTM) attack, which is often carried out through reverse proxy servers. These attacks allow hackers to intercept not only usernames and passwords but also session cookies, giving them access to protected accounts even when MFA is enabled.

The popularity of this method is fueled by its convenience. Thanks to Phishing-as-a-Service (PhaaS) toolkits like Tycoon 2FA, Evilproxy, Rockstar 2FA, and others, even non-experts can launch such campaigns. The developers of these kits constantly update them, adding features to bypass security mechanisms, disguise traffic, and collect additional data. For example, these tools may restrict access to phishing pages to only those with the exact link, use IP address and User-Agent filtering, implement dynamically obfuscated JavaScript, and delay link activation to evade email service protections.

Phishing proxies work as follows: a user clicks a link, enters their username and password, and then confirms MFA. All of this happens on the real website—just through the attacker’s proxy server. After successful authentication, the site issues a session cookie, which the attacker intercepts. With this cookie, the hacker gains full access to the account. Some attackers immediately add their own MFA device to the victim’s profile to maintain access even after the current session ends.

Hacker know-how like this is usually kept within closed circles, but the growing availability of these tools means that more people are at risk. Stay vigilant and consider using more secure forms of authentication whenever possible.