When it comes to login security, one recommendation stands out from the rest: multi-factor authentication (MFA). Since passwords alone are easy work for hackers, MFA provides an essential layer of protection against breaches. However, it is important to remember that MFA is not foolproof. It can be circumvented, and often is.
If a password is compromised, hackers have several options to bypass the additional protection offered by MFA. We’ll explore four social engineering tactics that hackers successfully use to breach MFA and highlight the importance of having a strong password as part of a layered defense.
1. Attacks of the opponent in the middle (AITM).
AITM attacks involve tricking users into thinking they are accessing a genuine network, application, or website. But in reality they are giving their information to a fraudulent lookalike. This allows hackers to intercept passwords and manipulate security measures, including MFA requests. For example, a spear phishing email could land in an employee’s inbox, impersonating a trusted source. Clicking on the embedded link takes you to a fake website where hackers collect your login credentials.
While MFA should ideally prevent these attacks by requiring an additional authentication factor, hackers can use a technique known as “pass-on 2FA.” Once the victim enters their credentials on the fake site, the attacker promptly enters the same details on the legitimate site. This triggers a legitimate MFA request, which the victim anticipates and promptly approves, unintentionally granting the attacker full access.
This is a common tactic for threat groups like Storm-1167, known for creating fake Microsoft authentication pages to harvest credentials. They also create a second phishing page that mimics the MFA phase of Microsoft’s login process, asking the victim to enter their MFA code and grant the attackers access. From there, they gain access to a legitimate email account and can use it as a platform for a multi-stage phishing attack.
2. The Ministry of Foreign Affairs bombs promptly
This tactic takes advantage of the push notification functionality in modern authenticator apps. After compromising a password, attackers attempt to log in by sending an MFA request to the legitimate user’s device. They rely on the user either mistaking it for a genuine message and accepting it or getting frustrated with the constant messages and accepting one to stop the notifications. This technique, known as rapid MFA bombing, poses a significant threat.
In one notable incident, hackers of 0 floors The group compromised an Uber contractor’s login credentials via SMS phishing, then continued with the authentication process from a controlled machine and immediately requested a multi-factor authentication (MFA) code. They then impersonated a member of Uber’s security team on Slack, convincing the contractor to accept the MFA push notification on their phone.
3. Service desk attacks
Attackers trick helpdesks into bypassing MFA by pretending to have forgotten their password and gaining access via phone calls. If service desk agents fail to apply proper verification procedures, they may unknowingly give hackers an initial point of entry into their organization’s environment. A recent example was the attack on MGM Resorts, where the Scattered spider The hacking group fraudulently contacted the service desk to reset the password, giving them a foothold to log in and launch a ransomware attack.
Hackers also attempt to exploit recovery settings and backup procedures by manipulating service desks to bypass MFA. 0 floors they are known to resort to targeting an organization’s service desk if their timely bombardment of MFA proves unsuccessful. They will contact service desks claiming their phone is unusable or lost, then request to register for a new attacker-controlled MFA device. They can then take advantage of their organization’s recovery or backup process by receiving a password reset link sent to the compromised device. Concerned about service desk security gaps? Find out how to protect yours.
4. SIM exchange
Cybercriminals know that MFA often relies on mobile phones as a means of authentication. They can exploit this with a technique called “SIM swap,” in which hackers trick service providers into switching a target’s services to a SIM card under their control. They can then effectively take control of the target’s cellular service and phone number, allowing them to intercept MFA requests and gain unauthorized access to accounts.
After an incident in 2022, Microsoft released a report detailing the tactics used by the threat group SLIP$. The report explains how SLIP$ dedicates extensive social engineering campaigns to gain initial footholds in target organizations. One of their favorite techniques is to target users with SIM swapping attacks, along with MFA prompt bombing and resetting a target’s credentials through help desk social engineering.
You can’t fully rely on MFA – password strength is still important
This wasn’t an exclusive list of ways to get around the MFA. There are many other ways as well, including compromising endpoints, exporting generated tokens, exploiting SSO, and finding unpatched technical flaws. It’s clear that setting up MFA doesn’t mean organizations can forget about protecting passwords altogether.
Account compromise often still begins with weak or compromised passwords. Once an attacker obtains a valid password, he can shift his attention towards bypassing the MFA mechanism. Even a strong password cannot protect users if it has been compromised by a password breach or reuse. And for most organizations, going completely passwordless won’t be a practical option.
With a tool like Specops Password Policy, you can enforce robust Active Directory password policies to eliminate weak passwords and continuously scan compromised passwords resulting from breaches, password reuse, or sales after a phishing attack. This ensures that MFA acts as an additional layer of security as intended, rather than being viewed solely as a silver bullet. If you are interested in finding out how the Specops password policy can fit the specific needs of your organization, please contact us.