Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

11/20/2019
10:00 AM
Tanner Johnson
Tanner Johnson
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Why Multifactor Authentication Is Now a Hacker Target

SIM swaps, insecure web design, phishing, and channel-jacking are four ways attackers are circumventing MFA technology, according to the FBI.

The growing adoption of multifactor authentication (MFA) has resulted in a proportionate rise in cyberattacks that target MFA technologies. In a recent Private Industry Notification (PIN), the Federal Bureau of Investigation (FBI) recognized how recent cyberattack campaigns are focusing directly on circumventing MFA. The FBI outlined three specific and comprehensive tactics that hackers have been developing in order to bypass MFA. 

One of the first MFA notifications mentioned by the FBI PIN outlines the growing number of Subscriber Identity Module (SIM) card-swapping attacks. Each telephony-capable mobile device has an onboard SIM card, programmed with the customer's phone number, and tied to his or her respective account with the carrier. A SIM-swap attack involves switching a victim's phone number over to a different SIM card on a device controlled by a hacker. This is often accomplished through social engineering of cellular phone customer service representatives, who are often unprepared to handle these savvy adversaries.

To social engineer such an attack, an adversary tries to take advantage of a person's naturally trusting tendencies. For example, the attacker might call the victim's carrier posing as the victim in an emergency situation, demanding that the target phone number be transferred to a different SIM card on new device immediately. In an effort to help the struggling "customer" reach a resolution quickly, many representatives end up processing the hacker's request. The result: The adversary now has a device with the victim's phone number programmed to it, while cellular service to the victim's actual device is disconnected. 

SIM Swap & Insecure Web Design
The damage that can be wrought by a successful SIM swap can be catastrophic. If the perpetrator knows the victim's credentials for a website, any text message MFA one-time password (OTP) will be sent to the victim's number, which now arrives on the attacker's device. Even if the adversary doesn't know the victim's credentials, it becomes possible to use the "forgot password" service to receive an MFA OTP text message that can be used to reset the victim's password. The attacker can even call services posing as the victim, using the victim's actual number. This number will be recognized by the service in question as legitimate, possibly allowing the attacker to bypass any additional security checks. With this level of control, it becomes possible to alter all credentials to lock the victim out of his or her own accounts. All the while, the victim remains unaware of these events, unable to make or receive calls or text messages on his or her own device.

Another MFA circumvention method outlined by the FBI is derived from poorly designed and insecure websites. The FBI highlighted how a competent attacker had previously managed to manipulate a vulnerable bank website into bypassing MFA. The adversary managed to accomplish this by inserting a custom command string into the web address once it presents an MFA request. The command string not only resulted in the MFA request being bypassed, but the bank also officially recognized the attacker's computer as a trusted device on the victim's account, resulting in unrestricted access to the account in question.

Phishing & Channel-Jacking
The final method outlined by the FBI PIN includes phishing attacks, which still remain tried-and-true methods used by data thieves to trick a victim into revealing information. For example, an attacker can send a fake message purporting to be from the victim's financial institution, demanding he or she open a link in the message or risk an account being shut down as a security precaution. The link takes the victim to a fraudulent website designed by the attacker that serves as a proxy to (and also resembling) the legitimate website, capturing and forwarding all interactions between the victim and the legitimate website in real time. Once the user is authenticated by the legitimate website, the adversary can capture the browser session cookie that the website associates with the authenticated user. Using the captured session cookie, the result is unrestricted access to the victim's account. This type of attack is referred to as channel-jacking.

While these attacks can be quite effective at bypassing MFA, channel-jacking, in particular, requires advanced technical skills, including knowledge in reverse-proxy web server configuration. Various tools have been developed to streamline the overall phishing and response processes. One pair of tools the FBI highlighted was Muraena and NecroBrowser, which work in concert to automate the attack procedure. Unfortunately, by automating the complex processes involved in such campaigns, these tools allow attacks to be carried out with greater frequency, and on a much larger scale.

This column is an excerpt from an IHS Markit market report: "Multi-Factor Authentication is Becoming a Fundamental Security Necessity."

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Soft Skills: 6 Nontechnical Traits CISOs Need to Succeed."

Tanner Johnson is a cybersecurity analyst focused on IoT and transformative technologies at IHS Markit. His coverage is focused on examining the various threats that occupy the IoT technology domain, as well as opportunities and strategies that are emerging as data ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
scottm.johnson
100%
0%
scottm.johnson,
User Rank: Apprentice
11/26/2019 | 11:28:58 AM
Insightful
Insightful analysis. More like this please.
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19642
PUBLISHED: 2019-12-08
On SuperMicro X8STi-F motherboards with IPMI firmware 2.06 and BIOS 02.68, the Virtual Media feature allows OS Command Injection by authenticated attackers who can send HTTP requests to the IPMI IP address. This requires a POST to /rpc/setvmdrive.asp with shell metacharacters in ShareHost or ShareNa...
CVE-2019-19637
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is an integer overflow in the function sixel_decode_raw_impl at fromsixel.c.
CVE-2019-19638
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is a heap-based buffer overflow in the function load_pnm at frompnm.c, due to an integer overflow.
CVE-2019-19635
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is a heap-based buffer overflow in the function sixel_decode_raw_impl at fromsixel.c.
CVE-2019-19636
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is an integer overflow in the function sixel_encode_body at tosixel.c.