Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

11/20/2019
10:00 AM
Tanner Johnson
Tanner Johnson
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Why Multifactor Authentication Is Now a Hacker Target

SIM swaps, insecure web design, phishing, and channel-jacking are four ways attackers are circumventing MFA technology, according to the FBI.

The growing adoption of multifactor authentication (MFA) has resulted in a proportionate rise in cyberattacks that target MFA technologies. In a recent Private Industry Notification (PIN), the Federal Bureau of Investigation (FBI) recognized how recent cyberattack campaigns are focusing directly on circumventing MFA. The FBI outlined three specific and comprehensive tactics that hackers have been developing in order to bypass MFA. 

One of the first MFA notifications mentioned by the FBI PIN outlines the growing number of Subscriber Identity Module (SIM) card-swapping attacks. Each telephony-capable mobile device has an onboard SIM card, programmed with the customer's phone number, and tied to his or her respective account with the carrier. A SIM-swap attack involves switching a victim's phone number over to a different SIM card on a device controlled by a hacker. This is often accomplished through social engineering of cellular phone customer service representatives, who are often unprepared to handle these savvy adversaries.

To social engineer such an attack, an adversary tries to take advantage of a person's naturally trusting tendencies. For example, the attacker might call the victim's carrier posing as the victim in an emergency situation, demanding that the target phone number be transferred to a different SIM card on new device immediately. In an effort to help the struggling "customer" reach a resolution quickly, many representatives end up processing the hacker's request. The result: The adversary now has a device with the victim's phone number programmed to it, while cellular service to the victim's actual device is disconnected. 

SIM Swap & Insecure Web Design
The damage that can be wrought by a successful SIM swap can be catastrophic. If the perpetrator knows the victim's credentials for a website, any text message MFA one-time password (OTP) will be sent to the victim's number, which now arrives on the attacker's device. Even if the adversary doesn't know the victim's credentials, it becomes possible to use the "forgot password" service to receive an MFA OTP text message that can be used to reset the victim's password. The attacker can even call services posing as the victim, using the victim's actual number. This number will be recognized by the service in question as legitimate, possibly allowing the attacker to bypass any additional security checks. With this level of control, it becomes possible to alter all credentials to lock the victim out of his or her own accounts. All the while, the victim remains unaware of these events, unable to make or receive calls or text messages on his or her own device.

Another MFA circumvention method outlined by the FBI is derived from poorly designed and insecure websites. The FBI highlighted how a competent attacker had previously managed to manipulate a vulnerable bank website into bypassing MFA. The adversary managed to accomplish this by inserting a custom command string into the web address once it presents an MFA request. The command string not only resulted in the MFA request being bypassed, but the bank also officially recognized the attacker's computer as a trusted device on the victim's account, resulting in unrestricted access to the account in question.

Phishing & Channel-Jacking
The final method outlined by the FBI PIN includes phishing attacks, which still remain tried-and-true methods used by data thieves to trick a victim into revealing information. For example, an attacker can send a fake message purporting to be from the victim's financial institution, demanding he or she open a link in the message or risk an account being shut down as a security precaution. The link takes the victim to a fraudulent website designed by the attacker that serves as a proxy to (and also resembling) the legitimate website, capturing and forwarding all interactions between the victim and the legitimate website in real time. Once the user is authenticated by the legitimate website, the adversary can capture the browser session cookie that the website associates with the authenticated user. Using the captured session cookie, the result is unrestricted access to the victim's account. This type of attack is referred to as channel-jacking.

While these attacks can be quite effective at bypassing MFA, channel-jacking, in particular, requires advanced technical skills, including knowledge in reverse-proxy web server configuration. Various tools have been developed to streamline the overall phishing and response processes. One pair of tools the FBI highlighted was Muraena and NecroBrowser, which work in concert to automate the attack procedure. Unfortunately, by automating the complex processes involved in such campaigns, these tools allow attacks to be carried out with greater frequency, and on a much larger scale.

This column is an excerpt from an IHS Markit market report: "Multi-Factor Authentication is Becoming a Fundamental Security Necessity."

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Soft Skills: 6 Nontechnical Traits CISOs Need to Succeed."

Tanner Johnson is a cybersecurity analyst focused on IoT and transformative technologies at IHS Markit. His coverage is focused on examining the various threats that occupy the IoT technology domain, as well as opportunities and strategies that are emerging as data ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
scottm.johnson
100%
0%
scottm.johnson,
User Rank: Apprentice
11/26/2019 | 11:28:58 AM
Insightful
Insightful analysis. More like this please.
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment:   It's a PEN test of our cloud security.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7245
PUBLISHED: 2020-01-23
Incorrect username validation in the registration processes of CTFd through 2.2.2 allows a remote attacker to take over an arbitrary account after initiating a password reset. This is related to register() and reset_password() in auth.py. To exploit the vulnerability, one must register with a userna...
CVE-2019-14885
PUBLISHED: 2020-01-23
A flaw was found in the JBoss EAP Vault system in all versions before 7.2.6.GA. Confidential information of the system property's security attribute value is revealed in the JBoss EAP log file when executing a JBoss CLI 'reload' command. This flaw can lead to the exposure of confidential information...
CVE-2019-17570
PUBLISHED: 2020-01-23
An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Apache XML-RPC is no longer maintained and this issue...
CVE-2020-6007
PUBLISHED: 2020-01-23
Philips Hue Bridge model 2.X prior to and including version 1935144020 contains a Heap-based Buffer Overflow when handling a long ZCL string during the commissioning phase, resulting in a remote code execution.
CVE-2012-4606
PUBLISHED: 2020-01-23
Citrix XenServer 4.1, 6.0, 5.6 SP2, 5.6 Feature Pack 1, 5.6 Common Criteria, 5.6, 5.5, 5.0, and 5.0 Update 3 contains a Local Privilege Escalation Vulnerability which could allow local users with access to a guest operating system to gain elevated privileges.