4 Methods Cybercriminal Employ Social Engineering Tactics to Bypass MFA
4 Methods Cybercriminal Employ Social Engineering Tactics to Bypass MFA
One recommendation regarding access security is particularly noteworthy: the implementation of multi-factor authentication (MFA). Given the ease with which hackers can exploit passwords, MFA provides an indispensable layer of security against intrusions. Nevertheless, it is critical to bear in mind that MFA is not impregnable. It frequently is circumvented, and it is possible to do so.
If a password is compromised, hackers seeking to bypass the additional security provided by MFA have a number of options at their disposal. Four successful social engineering techniques used by hackers to compromise MFA will be examined, and the significance of a strong password as part of a layered defense system will be emphasized.
1. Adversary-In-The-Middle (AITM) Attacks
Users are duped into believing they are connecting to a legitimate network, application, or website during AITM attacks. However, in reality, they are divulging their personal information to an impostor imitator. This enables malicious actors to manipulate security measures, such as MFA prompts, and intercept credentials. For instance, an employee’s inbox may receive a spear-phishing email that masquerades as a reputable source. They are redirected to a fraudulent website where hackers steal their registration credentials upon clicking the embedded link.
Although the implementation of MFA, which mandates an additional authentication factor, should ideally thwart such attacks, hackers may utilize a method called ‘2FA pass-on.’ The attacker immediately inputs the same credentials that the victim entered on the fraudulent site into the legitimate one. This initiates a valid multi-factor authentication (MFA) request, which the target foresees and happily grants, inadvertently committing the entire system to the perpetrator.
Threat groups such as Storm-1167, which is notorious for creating bogus Microsoft authentication pages in order to steal credentials, frequently employ this strategy. In addition, they generate a second phishing page that imitates the multi-factor authentication (MFA) stage of the Microsoft login procedure, demanding the victim’s MFA code in exchange for access. They are then able to utilize the compromised email account as a foundation for a multi-stage phishing scheme.
2. MFA Prompt Bombing
This strategy leverages the push notification functionality present in contemporary authentication applications. Attackers attempt to log in after compromising a password, which triggers an MFA prompt on the device of the authenticated user. They depend on the user either misinterpreting it for an authentic prompt and agreeing to it, or becoming irate with repeated prompts and selecting one in order to discontinue the notifications. The method referred to as MFA prompt bombardment presents a substantial danger.
A noteworthy occurrence involved the compromise of login credentials belonging to an Uber contractor by hackers affiliated with the 0ktapus group via SMS phishing. The hackers proceeded with the authentication procedure from a device under their control and promptly demanded a multi-factor authentication (MFA) code. Then, using Slack to impersonate a member of the Uber security team, they persuaded the contractor to enable MFA push notifications on their mobile device.
3. Service Desk Attacks
Through phone calls, attackers deceive helpdesks into bypassing MFA by professing password forgetfulness. Failure by service desk agents to implement appropriate verification protocols could inadvertently provide an initial point of entry for hackers to access the environment of their organization. The Scattered Spider hacker group recently compromised MGM Resorts by fraudulently contacting the service desk to request a password reset; this allowed the attackers to gain access and initiate a ransomware attack.
By manipulating service centers, hackers also attempt to exploit recovery settings and backup procedures in order to bypass MFA. In certain instances, 0ktapus may opt to target the service center of an organization in the event that their MFA prompt bombing strategy fails. They will claim their phone is broken or misplaced when contacting service desks, then request enrollment in a new MFA authentication device that is under the control of the perpetrator. They can then take advantage of the organization’s backup or recovery procedure by having the compromised device receive a link to reset its password. Concerned about security vulnerabilities at the service desk? Acquire the knowledge necessary to safeguard yours.
4. SIM Swapping
Malicious actors are cognizant of the fact that MFA frequently employs mobile devices for authentication. This can be taken advantage of using a ‘SIM exchange’ technique, in which hackers manipulate service providers into transferring a target’s services to a SIM card in their possession. Subsequently, they are capable of effectively acquiring the target’s phone number and mobile service, thereby intercepting MFA prompts and obtaining unauthorized account access.
After an incident occurred in 2022, Microsoft released a report that elaborated on the strategies utilized by the malicious group LAPSUS$. The report detailed the extensive social engineering campaigns that LAPSUS$ employs to establish a foothold in target organizations. Targeting users with SIM-swapping attacks, MFA prompt bombardment, and help desk social engineering to reset a target’s credentials are among their preferred methods.
You Can’t Fully Rely on MFA – Password Security is Highly Crucial
This was not an exhaustive list of methods to circumvent MFA. In addition to compromising endpoints, exporting generated tokens, exploiting SSO, and discovering unpatched technical vulnerabilities, there are a number of additional methods. Evidently, the implementation of MFA does not absolve organizations from the responsibility of credential security entirely.
Account compromise continues to frequently commence with the utilization of weak or compromised passwords. After successfully acquiring a valid password, an assailant may proceed with targeting the MFA mechanism for circumvention. Users are no longer protected by even the most robust passwords if they are compromised due to a breach or password reuse. In addition, the majority of organizations will find complete password omission impractical.
By utilizing a tool such asSpecops Password Policy, one can implement strong password policies in Active Directory to weed out weak credentials and consistently scan for compromised passwords that may have been compromised due to breaches, reuse, or resale following a phishing attack. This guarantees that MFA functions as its intended supplementary security measure, and not as a panacea that can be relied upon exclusively. Please contact us if you are interested in discussing how the Specops Password Policy can be tailored to the specific requirements of your organization.
About The Author:
Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space. Besides writing for the News4Hackers blog, he’s also written for brands including CollegeDunia, Utsav Fashion, and NASSCOM. Naager entered the field of content in an unusual way. He began his career as an insurance sales executive, where he developed an interest in simplifying difficult concepts. He also combines this interest with a love of narrative, which makes him a good writer in the cybersecurity field. In the bottom line, he frequently writes for Craw Security.