```
Cybercriminals are increasingly defeating conventional login protections, driving a surge in account takeover (ATO) incidents that exploit weaknesses in standard authentication workflows. As detailed in a recent BleepingComputer report, the core problem lies in the fundamental design of traditional "point-in-time" security checks — once a user passes initial authentication, most systems implicitly trust the session that follows.
Three Attack Vectors Driving the Surge
According to the report, attackers have refined three primary methods to compromise user accounts at scale.
Sophisticated phishing with real-time proxies is among the most effective. Rather than simply harvesting static credentials, modern phishing kits sit between the victim and the legitimate service in real time, relaying authentication prompts and capturing session tokens as they are generated. This renders even one-time MFA codes useless, since the attacker consumes them instantly.
Session cookie theft represents a second major vector. Once an attacker obtains a valid session token — through malware, browser vulnerabilities, or intercepted traffic — they can impersonate a legitimate user without ever confronting the authentication gateway again. Traditional security tools that focus on login events are largely blind to this technique.
MFA fatigue attacks, sometimes called MFA bombing, involve flooding a victim with repeated multi-factor authentication prompts until they approve one out of frustration or confusion. This social engineering approach has proven effective against organisations relying on push-notification-based second factors.
The Shift Toward Continuous Verification
The report highlights a growing consensus among security professionals: organisations need to move beyond one-time authentication checks and adopt models of continuous verification and device trust.
Under this approach, risk is dynamically assessed throughout an active session — not just at the point of login. Factors such as device health, user behaviour patterns, geolocation, and network context are continuously evaluated. If a session suddenly exhibits anomalous characteristics — a change in device fingerprint, an unexpected geographic jump, or unusual interaction patterns — the system can step up authentication or terminate the session automatically.
This philosophy aligns closely with zero-trust security principles, where no user, device, or session is trusted by default regardless of its origin. Rather than a binary authenticated-or-not decision at login, access becomes a fluid, context-sensitive judgement that persists for the duration of the session.
Why This Matters for IT Professionals
For organisations managing identity and access infrastructure, the implications are significant. Legacy authentication architectures — even those augmented with traditional MFA — were not designed to counter session hijacking or real-time proxy attacks. Retrofitting continuous verification into existing environments requires investment in endpoint detection, behavioural analytics, and policy engines capable of real-time risk scoring.
The shift also demands cultural change. Security teams accustomed to treating a successful MFA challenge as a reliable signal of legitimacy must recalibrate their assumptions. As the BleepingComputer report makes clear, the attackers have already moved past those assumptions — and defenders need to catch up.
The rising sophistication of ATO attacks underscores a broader reality in modern cybersecurity: authentication is no longer a single event but an ongoing process, and organisations that recognise this distinction first will be best positioned to protect their users and systems.
網絡罪犯正日益突破傳統的登入防護,導致利用標準身份驗證流程弱點的帳戶接管事件激增。正如 BleepingComputer 近期一份報告所述,核心問題在於傳統「時間點」安全檢查的根本設計——一旦用戶通過初始身份驗證,大多數系統便默示信任隨後的工作階段。
推動攻擊激增的三大途徑
報告指出,攻擊者已精煉出三種主要方法來大規模入侵用戶帳戶。
具備實時代理的精密網絡釣魚是其中最有效的手段之一。與單純竊取靜態憑證不同,現代網絡釣魚工具包實時介於受害者與合法服務之間,中繼身份驗證提示,並在工作階段權杖生成時即時捕獲。這使得一次性多重要素驗證碼也變得無用,因為攻擊者會即時使用它們。
工作階段 Cookie 竊取代表了第二個主要途徑。一旦攻擊者透過惡意軟件、瀏覽器漏洞或攔截的流量獲取有效的工作階段權杖,便可以在無需再次面對身份驗證閘道的情況下冒充合法用戶。專注於登入事件的傳統安全工具對此類技術基本上是盲目的。
多重要素驗證疲勞攻擊(有時稱為 MFA 轟炸)涉及向受害者發送大量重複的多重要素驗證提示,直至他們因沮喪或困惑而批准其中一個。這種社會工程方法已被證明對依賴基於推送通知的第二要素的組織非常有效。
邁向持續驗證的轉變
報告強調了安全專業人員日益形成的共識:組織需要超越一次性身份驗證檢查,採用持續驗證及設備信任模型。
在此方法下,風險在活躍工作階段的整個過程中被動態評估——而非僅在登入時點。設備健康狀況、用戶行為模式、地理位置和網絡情境等因素均被持續評估。如果一個工作階段突然展現異常特徵——設備指紋改變、出現意外的地理位置跳躍,或異常的互動模式——系統可以自動提升身份驗證等級或終止工作階段。
此理念與零信任安全原則緊密契合,即無論來源如何,任何用戶、設備或工作階段在預設情況下都不被信任。存取不再是在登入時做出非此即彼的身份驗證決定,而是成為一個持續整個工作階段期間、流動且基於情境的判斷。
對 IT 專業人員的意義
對於管理身份與存取基礎架構的組織而言,影響深遠。傳統的身份驗證架構——即使增強了傳統多重要素驗證——並非設計用於對抗工作階段劫持或實時代理攻擊。將持續驗證改造到現有環境中,需要投資於端點偵測、行為分析以及能夠實時進行風險評分的策略引擎。
此轉變亦需要文化層面的改變。習慣將成功的多重要素驗證挑戰視為可靠合法性信號的安全團隊,必須重新校準其假設。正如 BleepingComputer 報告明確指出的,攻擊者已經超越了這些假設——防禦者需要迎頭趕上。
帳戶接管攻擊日益複雜,突顯了現代網絡安全一個更廣泛的現實:身份驗證不再是單一事件,而是一個持續的過程。最先認識到此區別的組織,將處於保護其用戶和系統的最佳位置。