Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


// // //
10:00 AM
Atif Mushtaq
Atif Mushtaq

3 Ways Cybercriminals Are Undermining MFA

Using multifactor authentication is an excellent security step, but like everything else, it is not foolproof and will never be 100% effective.

Many have heralded multifactor authentication (MFA) as the ultimate cyber defense. Organizations and individuals "feel" safer with it enabled and believe it to be virtually foolproof. After all, an attacker would need the login credentials and access to the secondary device to compromise a system. And yet, that false sense of security is dangerous because it has become relatively easy to get around these protections without extensive technical skills.

Related Content:

Required MFA Is Not Sufficient for Strong Security: Report

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: 11 Security Certifications to Seek Out This Summer

Just as sophisticated technology is used to strengthen systems, threat actors can use that same technology to exploit weaknesses. They can even use legitimate infrastructure to bypass MFA and access corporate networks and personal data. The following are just some of the ways these attacks have been successful.

Man-in-the-Middle Attacks
One of the more pervasive attack methods is a man-in-the-middle (MitM) or reverse Web proxy attack. In this case, a malicious user sends a link either through email or SMS that directs the target to a phishing website that resembles (almost exactly) a legitimate site. It is virtually impossible to the untrained eye to distinguish the fake from the authentic site.

For example, assume that a bank's login page employs two-factor authentication (2FA). The attacker knows that even with the username and password, they won't be able to access the site. Therefore, they put in place a reverse web proxy between the phishing page and the actual service (hence the name "man in the middle").

When the user's real credentials are entered on the phishing site, it communicates to the legitimate service, which, in turn, sends the second-factor token or code to the user. When the user submits the authentication code on the phishing site, they unknowingly provide the attacker with the last piece of information they need to access to the account.

The simplicity of this attack is illustrated in a GitHub toolkit that automates the MitM process. The researchers who published this code did it for educational purposes, but it highlights how readily available malicious toolkits have become to the public. Simply go to your friendly neighborhood app store rather than having to search around on the Dark Web.

Malicious OAuth Apps
These attacks leverage the pervasiveness of the OAuth standard for access delegation. Every cloud service lets users access websites or third-party authorization applications without continuously having to sign in with their username and password, giving those sites and apps account access through OAuth tokens. However, because the process of granting permission is so quick, easy, and convenient, people can be (and are) easily tricked into authorizing malicious apps.

These attacks center on receiving a phishing link (via email, SMS, or some other method) that points to the original vendor site. In this type of attack, the user clicks on the link requesting their username and password. Once done, the page asks for permission to access the third-party application and, after the user agrees, the malicious software gets complete access to the account. This is problematic for the user, of course, but imagine if the user is a CTO or CIO, inadvertently granting access to the organization's entire Active Directory, leaving the business completely open.

Browser Hijacking
This is arguably the most dangerous form of attack. Because of the normalization of the cloud in our professional and personal lives, virtually everything we do happens through a browser. Online banking, shopping, sharing corporate documents, videoconferencing, and more. To simplify this, all modern browsers rely on extensions or plug-ins that have the same access and privileges as the browsers. Whatever the browser "sees," the plug-in can access.

Take the example of a user receiving a phishing link that asks them to download a specific extension. The attackers employ social engineering techniques to get people to trust them and install a plug-in disguised as a legitimate, often even well-known, application. Once installed, the plug-in can easily scrape all the data from within the browser, including MFA codes, banking details, and other sensitive text.

A Wolf in Sheep's Clothing
Because organizations whitelist legitimate cloud services like Google, Dropbox, or SharePoint, it is easy to host a phishing page on them. In fact, looking for suspicious domains, while still necessary, has become especially challenging. People assume that if a domain looks legitimate, the site can be trusted. Furthermore, phishing attacks are no longer purely relegated to emails. Smishing (text messages) and vishing (telephone calls) have also become increasingly common, as have attacks through collaboration channels and even social media.

Today, the best form of defense is built around the concept of a zero-trust approach. People are prone to human error, so they'll always remain the weakest link in the security chain. They need to be educated not to trust anything; even if communication comes from a seemingly legitimate source, they must question everything.

Organizations also need to fight machines with machines. With hackers using automated attacks, we need to use automated defenses. Using MFA is an excellent security step, but like everything else, it is not foolproof and will never be 100% effective. Organizations require multiple layers of security and must educate their personnel to effectively mitigate the risk of attack.

Atif Mushtaq has spent most of his career on the front lines of the war against cybercrime. Before founding SlashNext, he spent nine years as a senior scientist at FireEye, where he was one of the main architects of FireEye's core malware detection system. Mushtaq has worked ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-03-17
The Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the full name value in versions up to, and including, 21.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that w...
PUBLISHED: 2023-03-17
The WP Express Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘pec_coupon[code]’ parameter in versions up to, and including, 2.2.8 due to insufficient input sanitization and output escaping. This makes it possible for authenti...
PUBLISHED: 2023-03-17
A vulnerability was found in SourceCodester Student Study Center Desk Management System 1.0. It has been rated as critical. This issue affects the function view_student of the file admin/?page=students/view_student. The manipulation of the argument id with the input 3' AND (SELECT 2100 FROM (SELECT(...
PUBLISHED: 2023-03-17
A vulnerability classified as critical has been found in SourceCodester Student Study Center Desk Management System 1.0. Affected is an unknown function of the file Master.php?f=delete_img of the component POST Parameter Handler. The manipulation of the argument path with the input C%3A%2Ffoo.txt le...
PUBLISHED: 2023-03-17
A vulnerability classified as critical was found in SourceCodester Student Study Center Desk Management System 1.0. Affected by this vulnerability is an unknown functionality of the file admin/?page=reports&date_from=2023-02-17&date_to=2023-03-17 of the component Report Handler. The manipula...