Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

6/29/2021
10:00 AM
Atif Mushtaq
Atif Mushtaq
Commentary
50%
50%

3 Ways Cybercriminals Are Undermining MFA

Using multifactor authentication is an excellent security step, but like everything else, it is not foolproof and will never be 100% effective.

Many have heralded multifactor authentication (MFA) as the ultimate cyber defense. Organizations and individuals "feel" safer with it enabled and believe it to be virtually foolproof. After all, an attacker would need the login credentials and access to the secondary device to compromise a system. And yet, that false sense of security is dangerous because it has become relatively easy to get around these protections without extensive technical skills.

Related Content:

Required MFA Is Not Sufficient for Strong Security: Report

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: 11 Security Certifications to Seek Out This Summer

Just as sophisticated technology is used to strengthen systems, threat actors can use that same technology to exploit weaknesses. They can even use legitimate infrastructure to bypass MFA and access corporate networks and personal data. The following are just some of the ways these attacks have been successful.

Man-in-the-Middle Attacks
One of the more pervasive attack methods is a man-in-the-middle (MitM) or reverse Web proxy attack. In this case, a malicious user sends a link either through email or SMS that directs the target to a phishing website that resembles (almost exactly) a legitimate site. It is virtually impossible to the untrained eye to distinguish the fake from the authentic site.

For example, assume that a bank's login page employs two-factor authentication (2FA). The attacker knows that even with the username and password, they won't be able to access the site. Therefore, they put in place a reverse web proxy between the phishing page and the actual service (hence the name "man in the middle").

When the user's real credentials are entered on the phishing site, it communicates to the legitimate service, which, in turn, sends the second-factor token or code to the user. When the user submits the authentication code on the phishing site, they unknowingly provide the attacker with the last piece of information they need to access to the account.

The simplicity of this attack is illustrated in a GitHub toolkit that automates the MitM process. The researchers who published this code did it for educational purposes, but it highlights how readily available malicious toolkits have become to the public. Simply go to your friendly neighborhood app store rather than having to search around on the Dark Web.

Malicious OAuth Apps
These attacks leverage the pervasiveness of the OAuth standard for access delegation. Every cloud service lets users access websites or third-party authorization applications without continuously having to sign in with their username and password, giving those sites and apps account access through OAuth tokens. However, because the process of granting permission is so quick, easy, and convenient, people can be (and are) easily tricked into authorizing malicious apps.

These attacks center on receiving a phishing link (via email, SMS, or some other method) that points to the original vendor site. In this type of attack, the user clicks on the link requesting their username and password. Once done, the page asks for permission to access the third-party application and, after the user agrees, the malicious software gets complete access to the account. This is problematic for the user, of course, but imagine if the user is a CTO or CIO, inadvertently granting access to the organization's entire Active Directory, leaving the business completely open.

Browser Hijacking
This is arguably the most dangerous form of attack. Because of the normalization of the cloud in our professional and personal lives, virtually everything we do happens through a browser. Online banking, shopping, sharing corporate documents, videoconferencing, and more. To simplify this, all modern browsers rely on extensions or plug-ins that have the same access and privileges as the browsers. Whatever the browser "sees," the plug-in can access.

Take the example of a user receiving a phishing link that asks them to download a specific extension. The attackers employ social engineering techniques to get people to trust them and install a plug-in disguised as a legitimate, often even well-known, application. Once installed, the plug-in can easily scrape all the data from within the browser, including MFA codes, banking details, and other sensitive text.

A Wolf in Sheep's Clothing
Because organizations whitelist legitimate cloud services like Google, Dropbox, or SharePoint, it is easy to host a phishing page on them. In fact, looking for suspicious domains, while still necessary, has become especially challenging. People assume that if a domain looks legitimate, the site can be trusted. Furthermore, phishing attacks are no longer purely relegated to emails. Smishing (text messages) and vishing (telephone calls) have also become increasingly common, as have attacks through collaboration channels and even social media.

Today, the best form of defense is built around the concept of a zero-trust approach. People are prone to human error, so they'll always remain the weakest link in the security chain. They need to be educated not to trust anything; even if communication comes from a seemingly legitimate source, they must question everything.

Organizations also need to fight machines with machines. With hackers using automated attacks, we need to use automated defenses. Using MFA is an excellent security step, but like everything else, it is not foolproof and will never be 100% effective. Organizations require multiple layers of security and must educate their personnel to effectively mitigate the risk of attack.

Atif Mushtaq has spent most of his career on the front lines of the war against cybercrime. Before founding SlashNext, he spent nine years as a senior scientist at FireEye, where he was one of the main architects of FireEye's core malware detection system. Mushtaq has worked ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3556
PUBLISHED: 2021-10-26
HHVM supports the use of an "admin" server which accepts administrative requests over HTTP. One of those request handlers, dump-pcre-cache, can be used to output cached regular expressions from the current execution context into a file. The handler takes a parameter which specifies where o...
CVE-2021-35499
PUBLISHED: 2021-10-26
The Web Reporting component of TIBCO Software Inc.'s TIBCO Nimbus contains easily exploitable Stored Cross Site Scripting (XSS) vulnerabilities that allow a low privileged attacker to social engineer a legitimate user with network access to execute scripts targeting the affected system or the victim...
CVE-2021-41182
PUBLISHED: 2021-10-26
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `altField` option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `altField` option is now t...
CVE-2021-41183
PUBLISHED: 2021-10-26
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various `*Text` options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various `*Text` options are now al...
CVE-2021-41184
PUBLISHED: 2021-10-26
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `of` option of the `.position()` util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `of` option is now treated as a...