Many have heralded multifactor authentication (MFA) as the ultimate cyber defense. Organizations and individuals "feel" safer with it enabled and believe it to be virtually foolproof. After all, an attacker would need the login credentials and access to the secondary device to compromise a system. And yet, that false sense of security is dangerous because it has become relatively easy to get around these protections without extensive technical skills.
Just as sophisticated technology is used to strengthen systems, threat actors can use that same technology to exploit weaknesses. They can even use legitimate infrastructure to bypass MFA and access corporate networks and personal data. The following are just some of the ways these attacks have been successful.
One of the more pervasive attack methods is a man-in-the-middle (MitM) or reverse Web proxy attack. In this case, a malicious user sends a link either through email or SMS that directs the target to a phishing website that resembles (almost exactly) a legitimate site. It is virtually impossible to the untrained eye to distinguish the fake from the authentic site.
For example, assume that a bank's login page employs two-factor authentication (2FA). The attacker knows that even with the username and password, they won't be able to access the site. Therefore, they put in place a reverse web proxy between the phishing page and the actual service (hence the name "man in the middle").
When the user's real credentials are entered on the phishing site, it communicates to the legitimate service, which, in turn, sends the second-factor token or code to the user. When the user submits the authentication code on the phishing site, they unknowingly provide the attacker with the last piece of information they need to access to the account.
The simplicity of this attack is illustrated in a GitHub toolkit that automates the MitM process. The researchers who published this code did it for educational purposes, but it highlights how readily available malicious toolkits have become to the public. Simply go to your friendly neighborhood app store rather than having to search around on the Dark Web.
Malicious OAuth Apps
These attacks leverage the pervasiveness of the OAuth standard for access delegation. Every cloud service lets users access websites or third-party authorization applications without continuously having to sign in with their username and password, giving those sites and apps account access through OAuth tokens. However, because the process of granting permission is so quick, easy, and convenient, people can be (and are) easily tricked into authorizing malicious apps.
These attacks center on receiving a phishing link (via email, SMS, or some other method) that points to the original vendor site. In this type of attack, the user clicks on the link requesting their username and password. Once done, the page asks for permission to access the third-party application and, after the user agrees, the malicious software gets complete access to the account. This is problematic for the user, of course, but imagine if the user is a CTO or CIO, inadvertently granting access to the organization's entire Active Directory, leaving the business completely open.
This is arguably the most dangerous form of attack. Because of the normalization of the cloud in our professional and personal lives, virtually everything we do happens through a browser. Online banking, shopping, sharing corporate documents, videoconferencing, and more. To simplify this, all modern browsers rely on extensions or plug-ins that have the same access and privileges as the browsers. Whatever the browser "sees," the plug-in can access.
Take the example of a user receiving a phishing link that asks them to download a specific extension. The attackers employ social engineering techniques to get people to trust them and install a plug-in disguised as a legitimate, often even well-known, application. Once installed, the plug-in can easily scrape all the data from within the browser, including MFA codes, banking details, and other sensitive text.
A Wolf in Sheep's Clothing
Because organizations whitelist legitimate cloud services like Google, Dropbox, or SharePoint, it is easy to host a phishing page on them. In fact, looking for suspicious domains, while still necessary, has become especially challenging. People assume that if a domain looks legitimate, the site can be trusted. Furthermore, phishing attacks are no longer purely relegated to emails. Smishing (text messages) and vishing (telephone calls) have also become increasingly common, as have attacks through collaboration channels and even social media.
Today, the best form of defense is built around the concept of a zero-trust approach. People are prone to human error, so they'll always remain the weakest link in the security chain. They need to be educated not to trust anything; even if communication comes from a seemingly legitimate source, they must question everything.
Organizations also need to fight machines with machines. With hackers using automated attacks, we need to use automated defenses. Using MFA is an excellent security step, but like everything else, it is not foolproof and will never be 100% effective. Organizations require multiple layers of security and must educate their personnel to effectively mitigate the risk of attack.