Subscribe
About

How MFA phishing compromises large company networks

Cyber criminals are well versed in the tactic of phishing, which aims to trick users into revealing confidential information and gain unauthorised access to user accounts and compromise corporate networks. A new type of phishing attack has now emerged, known as MFA phishing, which evades key protection measures deployed by corporate networks.

The SANS 2022 Managing Human Risk report highlights the simple fact that the last line of defence against cyber attacks is people. One of the main findings of the study points out that human risk management will be fundamental to cyber security in the future, especially when it comes to threats launched to access corporate networks. This growing trend flags the critical need to implement a phishing-resistant MFA (multi-factor authentication) solution.

In September last year, Uber was hit by a cyber attack on its systems after a malicious actor successfully compromised the account of one the company’s contractors. After investigating the incident, the company concluded that the cyber criminal probably purchased the target's corporate password on the dark web after the victim’s personal device was infected with malware and their credentials were exposed. This slip-up was exploited by the hacker, who initiated an MFA phishing attack, after MFA fatigue led to the user accepting one of the bogus requests, resulting in a successful login.

“This case exemplifies the biggest vulnerability in cyber security: people. There’s no getting away from the fact that security solutions often require human interaction and people do fall victim to scams such as social engineering or phishing,” says Dolos CEO, Dominic Richardson.

How does MFA phishing work?

In an MFA phishing attack, a cyber criminal attempts to trick users into revealing the confidential information they use for authentication purposes or into intervening in the fraudulent approval of the login request produced by their MFA solution. A successful MFA phishing attack obtains a target's credentials as the first step. Credential theft can occur through several means, including a combination of the following:

  • Phishing attacks: Cyber criminals often employ the use of fake (although they look genuine) e-mails and websites to obtain sensitive information from unsuspecting victims. The attacker can then use this information to steal login credentials.
  • Automated attacks: Using malicious software to access a user's credentials without their knowledge. A new two-prong tactic that is proving successful and is influencing the growing demand for infostealers on the dark web entails deploying malware to obtain a user's credentials, followed up by an MFA fatigue attack to gain access to corporate networks.
  • Brute-force attacks: In brute-force attacks, cyber criminals use automated programs that can systematically guess passwords, usernames and other credentials that provide access to different accounts. Credential stuffing is a brute-force attack where username and password pairs obtained from a data breach on another site are then tested.
  • Social engineering: Threat actors seek to gain users’ trust through social engineering in order to manipulate them and obtain their credentials.

Once the attacker obtains their target's credentials by deploying these tactics, they can use similar methods to carry out MFA phishing. SMS or e-mail phishing is used to try to trick targets into revealing the MFA authentication code sent via these channels. Similarly, malicious actors may use a spoofing attack, where they pose as a trustworthy person, such as a legitimate employee of a company, who asks the user to reveal their login information, along with their MFA code.

This type of attack tends to be most effective for MFA solutions that use one-time codes, but it can be more difficult to get the user to approve a request from the app on their mobile device. This is why MFA fatigue is becoming popular, as in the case of attacks on large corporate networks of companies like Uber or Cisco.

Using this tactic, cyber criminals can send multiple push (pop-up) notifications to their target's mobile device. Overwhelmed by the number of MFA authentication requests they receive, users may start ignoring them, disable this security solution or even inadvertently grant access, thereby falling victim to an MFA phishing attack.

Companies need a phishing-resistant MFA solution

As this new type of attack is now escalating, companies need a solution that protects against MFA fatigue. Deploying a tool that allows users to take action if they receive unexpected push notifications reduces the possibility of accidental approval of unauthorised access.

For MSPs seeking to protect customers, adding a phishing-resistant MFA solution to their portfolio delivers a competitive advantage over other businesses of this type.

However, adding this functionality to existing solutions must take into account end-user friction. If this friction is high, the end-user may choose to avoid or ignore security, leaving corporate networks exposed to malicious actors. WatchGuard's AuthPoint has evolved to address new advanced threats and now allows users to disable push notifications, thereby reducing MFA fatigue. So, simply and without incorporating additional verification factors, if a user denies the first authentication request, the new feature offers to disable the request feature completely, which prevents users from accidentally granting access to the corporate network. Combining this functionality with others, such as policy restrictions, enhances security, which prevents unauthorised access.

MFA phishing is an example of how cyber criminals are still finding new ways to reach their targets. Today, the only way to prevent these attacks, from a technology standpoint, is to implement a phishing-resistant MFA solution that decreases the likelihood of being affected by human error and prevents cyber criminals from accessing corporate networks. Contact the Dolos team to find out more about how WatchGuard’s solutions prevent these kinds of attacks. 

Share

Editorial contacts