Browser-in-the-Middle (BiTM) Attack: A New Way to Bypass MFA

Browser-in-the-Middle (BiTM) is an advanced phishing technique that bypasses Multi-Factor Authentication (MFA) by tricking victims into logging into a legitimate service on an attacker-controlled browser. Here’s how it works:

Step-by-Step Breakdown of BiTM Attack

1. Attacker Sets Up a noVNC Server

• The attacker deploys noVNC, a browser-based VNC client, allowing remote access without requiring a local VNC client.
• The server runs a browser in kiosk mode, hiding the underlying OS and displaying only the login page (e.g., Microsoft 365, Gmail).

2. Victim Receives a Malicious Link

• The attacker sends a phishing email/SMS with a noVNC link.
• When clicked, the victim connects to the attacker’s server, seeing what appears to be a legitimate login page.

3. Victim Enters Credentials & MFA

• The victim logs in, providing both credentials and MFA tokens.
• Since the session runs on the attacker’s browser, they gain full access.

4. Attacker Hijacks the Session

• The attacker now controls the authenticated session, bypassing MFA entirely.

You Should Know: How to Detect & Mitigate BiTM Attacks

Detection Techniques

• Check Browser Metadata
• Use browser developer tools (F12) to verify the origin of the page.
• Look for unusual domains in the URL bar.

• Monitor Network Traffic

• Use Wireshark or tcpdump to detect unexpected VNC traffic:

  tcpdump -i eth0 'port 5900 or port 6080' -v
  

• Inspect Browser Processes

• On Linux, check running processes for noVNC:

  ps aux | grep -i novnc
  

Mitigation Strategies

1. Use FIDO2/Passkeys

• FIDO2 (e.g., YubiKey) prevents BiTM by requiring physical device interaction.

2. Enforce Strict URL Policies

• Block known phishing domains using Pi-hole or enterprise firewalls:

  pihole -b malicious-domain.com
  

3. Educate Users on Suspicious Links

• Train users to verify URLs before clicking.

4. Implement Zero Trust Architecture

• Use BeyondCorp or Cloudflare Access to enforce device trust before granting access.

5. Monitor for Unusual Logins

• Use SIEM tools (Splunk, ELK) to detect anomalous logins:

  grep "failed login" /var/log/auth.log
  

What Undercode Say

BiTM attacks highlight the evolving sophistication of phishing techniques. While traditional MFA can be bypassed, FIDO2 remains resilient. Organizations must:
– Adopt phishing-resistant MFA (e.g., YubiKey, Windows Hello).
– Monitor for VNC traffic on corporate networks.
– Train employees to recognize social engineering tactics.

Expected Output:

• Relevant URLs:
• Mandiant Report on BiTM
• BleepingComputer on MFA Bypass
• noVNC GitHub

References:

Reported By: Jrebholz Oh – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram