When it comes to cyber security, the most common and effective technique cyber criminals use is Social Engineering. Many imagine a nation-state hacker or a person in a hoodie sitting in a dark room using complex mathematics or technology like magic to commit cyber crimes. However, the truth is that cyber-criminals who use social engineering are more like con artists than hackers.
When covering cyber security, the media uses the terms “hacker” and “cyber-criminal” interchangeably. A hacker is usually a cyber criminal, but not all cyber criminals are hackers. Sometimes, a hacker will use social engineering in addition to technology to commit a crime, but for the purposes of this article, we will use the term like this:
Hacker = Math/Technology
Cyber Criminal = Psychology/Social Engineering
Multi-factor authentication (MFA or 2FA) is one of our best tools for defending against hackers. Passwords alone can be straightforward for hackers to break, but MFA provides an essential layer of protection against breaches. However, it’s important to remember that MFA isn’t foolproof. Hackers can bypass MFA, and they often do.
If a password is compromised, several options are available to hackers looking to circumvent the added protection of MFA. We’ll look at four social engineering tactics hackers use to breach MFA and emphasize the importance of having a strong password as part of a layered defense.
Adversary-in-the-Middle (AITM) Attacks
A spear-phishing email may arrive in an employee’s inbox, posing as from a trusted source. Your boss, a company you (or your organization) do business with, your bank, or another financial institution. Clicking on the link in the email directs you to a website that looks like the one we expect to see where hackers collect your login credentials.
While MFA should prevent these attacks by requiring an additional authentication factor, hackers can employ a technique known as ‘2FA pass-on.’ Once the victim enters their credentials on the fake site, the attacker promptly enters the exact details on the legitimate site. This triggers a legitimate MFA request, which the victim anticipates and readily approves, unwittingly granting the attacker complete access.
Cyber criminal groups, like Storm-1167, often create fake pages that resemble Microsoft login pages. They use these pages to trick people into giving away their login credentials. Once they have acquired the login information, they use a fake Multi-Factor Authentication (MFA) process that appears to be from Microsoft. The victim is then asked to enter their MFA code, which the attacker then captures to access the victim’s genuine account. Once they have access, the attacker can cause significant damage.
MFA Prompt Bombing
“This technique is called “MFA prompt bombing, and it’s a dangerous tactic that takes advantage of the push notification feature in modern authentication apps. Attackers who already have a compromised password (either from hacking or purchasing from another hacker) attempt to log in, which triggers an MFA prompt to be sent to the legitimate user’s device. Criminals rely on the user either mistaking it for a genuine prompt and accepting it or becoming frustrated with continuous prompts and accepting one to stop the notifications. This poses a significant threat, and users should be aware of the risks.
The 0ktapus group hacked into an Uber contractor’s account by tricking them with a text message. Then, they continued the login process from their own machine and quickly asked for a multi-factor authentication code. After that, they pretended to be a member of Uber’s security team on Slack and convinced the contractor to approve the MFA push notification on their mobile phone.
Service Desk Attacks
Attackers can deceive helpdesk agents into granting them access by pretending to forget their passwords and using phone calls to bypass MFA. However, if help desk agents fail to follow proper verification procedures, they may unknowingly provide an initial entry point for hackers to infiltrate their organization’s environment.
A hacker group called Scattered Spider fraudulently contacted the MGM Resorts service desk and requested a password reset. They used this to gain access and launch the infamous ransomware attack.
SIM Swapping
Cybercriminals know that Multi-Factor Authentication (MFA) often relies on cell phones for authentication. They can exploit this vulnerability using a technique called ‘SIM swapping.’ This technique involves deceiving the service providers into transferring the target’s services to a SIM card under the hackers’ control. Once they control the SIM card, they can intercept MFA prompts and take over the target’s phone number and cell service. This unauthorized access can grant them access to the target’s accounts.
In 2022, Microsoft released a report that revealed the strategies used by a threat group called LAPSUS$. The report explained that LAPSUS$ relies heavily on social engineering campaigns to access targeted organizations. One of the group’s preferred tactics is to carry out SIM-swapping attacks and use MFA prompt bombing to target users and then reset their credentials through help desk social engineering.
Thanks to Social Engineering password security still matters – MFA isn’t a Magic Bullet
This isn’t a complete list of ways cybercriminals bypass MFA. Several other ways include compromising endpoints, exporting generated tokens, exploiting SSO, and finding unpatched devices and software. It’s clear that setting up MFA doesn’t mean organizations can forget about securing passwords altogether.
Account compromise still often starts with weak or compromised passwords. Once an attacker obtains a valid password, they can shift their focus towards bypassing the MFA mechanism. Even a strong password can’t protect users if it’s been compromised through a breach or password reuse. And for most organizations, going fully passwordless won’t be a practical option.
Commonwealth Sentinel can assist your organization in staying secure by implementing robust password policies, utilizing effective multi-factor authentication tools, and providing comprehensive cyber training for your entire staff. It only takes one lucky cybercriminal to cause damage, so your team must always remain vigilant. To schedule a consultation, click here or contact us at (502) 320-9885.