Guys, if this article is above your head, I get it. Just try to understand that today’s state of security is far beyond scary. You have to be vigilant in your pursuit to secure your laptops and smartphones.
I am a former information security professional, and all those security exploits are nothing new to me; yet, I am often shocked after reading about how persistent hackers can compromise our security stance.
I know many folks have an excuse: there is nothing to secure on my laptop or smartphone. BIG MISTAKE!
For example, this is what happened to my daughter and me.
Two days ago, I received a letter from Delta Dental (my dental insurance company) with a message that they had a security breach in June of 2023 (more than 7 months ago!). They found that my personal information was exposed, including my Social Security number, phone number, e-mail address, home address, and even my health information (beyond the dental info).
You may say, “So, what? Big deal…”
Don’t hurry up.
About a year and a half ago, my daughter discovered that her personal information had appeared on the dark web (a hacker’s hidden network), and her Social Security number had been used to receive unemployment benefits. She has spent several months fighting with it and trying to solve the problem, mainly because at that time she was between jobs and needed money. She has contacted numerous government organizations to learn that:
- Unemployment money is not the only problem she had;
- None of the government agencies solved the problem! They were useless, making numerous promises with no tangible solution. Even more: they continued sending money to a hacker in Texas!
- She has contacted the attorney who has located the name of the hacker. Guess what? Social Security has sent more money to the same hacker!
- She had to lock up her credit agencies’ accounts to prevent the hacker from opening a bank loan.
- She had a problem filling out the tax return because she had received the 1099 Form that stated that SHE had received the unemployment money, not the hacker.
A few days ago, my wife’s friend asked for assistance with her laptop. Guess what was bad? Her email was breached nine times (according to MalwareBytes anti-malware company). The computer was full of junk files, unrecognizable applications, etc.
I recall that my old Gmail email was hacked several times, just about six months ago, too. Why? Only because my personal info was exposed by other companies that were breached. I had to transfer my essential emails from Gmail to another company that offered free email addresses, and I stopped using the old email for any bank accounts.
Are you beginning to understand how bad it is?
Now, let’s get back to the recommendations.
When it comes to access security, one recommendation stands out above the rest (and I hope you are already familiar with it): multi-factor authentication (MFA). With passwords alone being simple for hackers to crack, MFA provides an essential layer of protection against breaches. However, it's important to remember that MFA isn't foolproof. It can be bypassed, and it often is.
If a password is compromised, hackers seeking to circumvent the added protection of MFA have several options available to them. Here, we examine four social engineering tactics that hackers successfully employ to bypass MFA, highlighting the importance of having a robust password as part of a comprehensive defense strategy.
- Adversary-in-the-middle (AITM) attacks
AITM attacks involve deceiving users into believing they're logging into a genuine network, application, or website. But really, they're giving up their information to a fraudulent lookalike. This lets hackers intercept passwords and manipulate security measures, including MFA prompts. For instance, a spear-phishing email may arrive in an employee's inbox, posing as a trusted source. Clicking on the embedded link directs them to a counterfeit website where hackers collect their login credentials.
While MFA should ideally prevent these attacks by requiring an additional authentication factor, hackers can employ a technique known as '2FA pass-on.' Once the victim enters their credentials on the fake site, the attacker promptly enters the exact details on the legitimate site. This triggers a legitimate MFA request, which the victim anticipates and readily approves, unwittingly granting the attacker complete access.
This is a common tactic employed by threat groups such as Storm-1167, which are known for creating fake Microsoft authentication pages to harvest credentials. They also make a second phishing page that mimics the MFA step of the Microsoft login process, prompting the victim to enter their MFA code and grant the attackers access. From there, they gain access to a legitimate email account and can use it as a platform for a multi-stage phishing attack.
- MFA prompt bombing
This tactic leverages the push notification feature in modern authentication apps. After compromising a password, attackers attempt to log in, which sends an MFA prompt to the legitimate user's device. They rely on the user either mistaking it for a genuine prompt and accepting it or becoming frustrated with continuous prompts and accepting one to stop the notifications. This technique, known as MFA prompt bombing, poses a significant threat.
In a notable incident, hackers from the 0ktapus group compromised an Uber contractor's login credentials through SMS phishing, then continued with the authentication process from a machine they controlled and immediately requested a multi-factor authentication (MFA) code. They then impersonated an Uber security team member on Slack, convincing the contractor to accept the MFA push notification on their phone.
- Service desk attacks
Attackers deceive helpdesks into bypassing MFA by feigning password forgetfulness and gaining access through phone calls. If service desk agents fail to enforce proper verification procedures, they may unknowingly grant hackers an initial entry point into their organization's environment. A recent example was the MGM Resorts attack, where the Scattered Spider hacker group fraudulently contacted the service desk for a password reset, gaining a foothold to log in and launch a ransomware attack.
- SIM swapping
Cybercriminals understand MFA often relies on cell phones as a means of authentication. They can exploit this with a technique called a 'SIM swap', where hackers deceive service providers into transferring a target's services to a SIM card under their control. They can then effectively take over the target's cell service and phone number, letting them intercept MFA prompts and gain unauthorized access to accounts.
After an incident in 2022, Microsoft published a report detailing the tactics employed by the threat group LAPSUS$. The report explained how LAPSUS$ dedicates extensive social engineering campaigns to gaining initial footholds in target organizations. One of their favored techniques is targeting users with SIM-swapping attacks, along with MFA prompt bombing, and resetting a target's credentials through social engineering on the help desk.
You can't entirely rely on MFA – password security still matters
This wasn't an exclusive list of ways to bypass MFA. There are several other methods as well, including compromising endpoints, exporting generated tokens, exploiting SSO, and identifying unpatched technical vulnerabilities. It's clear that setting up MFA doesn't mean organizations or individuals can forget about securing passwords altogether.
Account compromise often still begins with weak or compromised passwords. Once an attacker obtains a valid password, they can then shift their focus towards bypassing the MFA mechanism. Even a strong password can't protect users if it's been compromised through a breach or password reuse.
Do you like the article? Please share your information to receive notifications about new posts. 100% spam-free!