Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


// // //
10:00 AM
Atif Mushtaq
Atif Mushtaq

3 Ways Cybercriminals Are Undermining MFA

Using multifactor authentication is an excellent security step, but like everything else, it is not foolproof and will never be 100% effective.

Many have heralded multifactor authentication (MFA) as the ultimate cyber defense. Organizations and individuals "feel" safer with it enabled and believe it to be virtually foolproof. After all, an attacker would need the login credentials and access to the secondary device to compromise a system. And yet, that false sense of security is dangerous because it has become relatively easy to get around these protections without extensive technical skills.

Related Content:

Required MFA Is Not Sufficient for Strong Security: Report

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: 11 Security Certifications to Seek Out This Summer

Just as sophisticated technology is used to strengthen systems, threat actors can use that same technology to exploit weaknesses. They can even use legitimate infrastructure to bypass MFA and access corporate networks and personal data. The following are just some of the ways these attacks have been successful.

Man-in-the-Middle Attacks
One of the more pervasive attack methods is a man-in-the-middle (MitM) or reverse Web proxy attack. In this case, a malicious user sends a link either through email or SMS that directs the target to a phishing website that resembles (almost exactly) a legitimate site. It is virtually impossible to the untrained eye to distinguish the fake from the authentic site.

For example, assume that a bank's login page employs two-factor authentication (2FA). The attacker knows that even with the username and password, they won't be able to access the site. Therefore, they put in place a reverse web proxy between the phishing page and the actual service (hence the name "man in the middle").

When the user's real credentials are entered on the phishing site, it communicates to the legitimate service, which, in turn, sends the second-factor token or code to the user. When the user submits the authentication code on the phishing site, they unknowingly provide the attacker with the last piece of information they need to access to the account.

The simplicity of this attack is illustrated in a GitHub toolkit that automates the MitM process. The researchers who published this code did it for educational purposes, but it highlights how readily available malicious toolkits have become to the public. Simply go to your friendly neighborhood app store rather than having to search around on the Dark Web.

Malicious OAuth Apps
These attacks leverage the pervasiveness of the OAuth standard for access delegation. Every cloud service lets users access websites or third-party authorization applications without continuously having to sign in with their username and password, giving those sites and apps account access through OAuth tokens. However, because the process of granting permission is so quick, easy, and convenient, people can be (and are) easily tricked into authorizing malicious apps.

These attacks center on receiving a phishing link (via email, SMS, or some other method) that points to the original vendor site. In this type of attack, the user clicks on the link requesting their username and password. Once done, the page asks for permission to access the third-party application and, after the user agrees, the malicious software gets complete access to the account. This is problematic for the user, of course, but imagine if the user is a CTO or CIO, inadvertently granting access to the organization's entire Active Directory, leaving the business completely open.

Browser Hijacking
This is arguably the most dangerous form of attack. Because of the normalization of the cloud in our professional and personal lives, virtually everything we do happens through a browser. Online banking, shopping, sharing corporate documents, videoconferencing, and more. To simplify this, all modern browsers rely on extensions or plug-ins that have the same access and privileges as the browsers. Whatever the browser "sees," the plug-in can access.

Take the example of a user receiving a phishing link that asks them to download a specific extension. The attackers employ social engineering techniques to get people to trust them and install a plug-in disguised as a legitimate, often even well-known, application. Once installed, the plug-in can easily scrape all the data from within the browser, including MFA codes, banking details, and other sensitive text.

A Wolf in Sheep's Clothing
Because organizations whitelist legitimate cloud services like Google, Dropbox, or SharePoint, it is easy to host a phishing page on them. In fact, looking for suspicious domains, while still necessary, has become especially challenging. People assume that if a domain looks legitimate, the site can be trusted. Furthermore, phishing attacks are no longer purely relegated to emails. Smishing (text messages) and vishing (telephone calls) have also become increasingly common, as have attacks through collaboration channels and even social media.

Today, the best form of defense is built around the concept of a zero-trust approach. People are prone to human error, so they'll always remain the weakest link in the security chain. They need to be educated not to trust anything; even if communication comes from a seemingly legitimate source, they must question everything.

Organizations also need to fight machines with machines. With hackers using automated attacks, we need to use automated defenses. Using MFA is an excellent security step, but like everything else, it is not foolproof and will never be 100% effective. Organizations require multiple layers of security and must educate their personnel to effectively mitigate the risk of attack.

Atif Mushtaq has spent most of his career on the front lines of the war against cybercrime. Before founding SlashNext, he spent nine years as a senior scientist at FireEye, where he was one of the main architects of FireEye's core malware detection system. Mushtaq has worked ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file