Multi factor authentication is being attacked by hackers
Multi factor authentication (MFA) is one of the best things that can be done in order to help secure users’ accounts from hackers, and because of that, MFA is one of the standards that the security industry recommends first when consumers and businesses are looking to protect themselves.
Multi Factor Authentication is also usually the last remaining wall standing between hackers and the bounty of information that they’re looking to compromise.
This has led these bad actors to begin targeting MFA through phishing and business email compromise (BEC) campaigns.
The latest type of attack to bypass MFA focuses on CEOs and CFOs with Microsoft 365 accounts.
Cybersecurity researchers at Mitiga uncovered a malicious campaign that combines phishing with attacker-in-the-middle (AitM) attacks in order to bypass MFA security.
The attackers are especially interested in cloud-based Office 365 accounts.
The hackers send the CEOs and CFOs that they’re targeting fraudulent emails requesting financial transfers be made.
These bad actors disguise their fraudulent requests by sliding into active, legitimate email conversations about business deals.
These attackers then change the bank details on all documents so that they receive the payment when the CEO or CFO authorizes payment.
In most cases of BEC fraud, this scam isn’t noticed until it’s too late and the money is unable to be recovered from the hackers.
BEC fraud has cost victims damages that total into the billions.
What to Look For
The case study that Mitiga references in their research involves fraudulent documents that are sent to specific business executives and that are designed to look like legitimate documents from DocuSign.
If the victim then clicks on the malicious document link, they will be taken to a fake Microsoft 365 login page.
Once the executive types in their username and password, that sensitive login data is transmitted to the hackers instead of into the real Microsoft 365 site.
The attacker also uses proxy servers that act as communication ports between the client and the real Microsoft server. This allows the proxy server to secretly bypass MFA.
Hackers gain access this way when the victim is asked to confirm their MFA request on their device. This returns a valid session cookie and allows the attacker to use the proxy server to take control of the victim’s session without having to reenter a password or complete another MFA request.
With these permissions in place, the hacker can then set up a second MFA authentication app for themselves that allows them to act as the original user.
This allows the attackers to have full privileges on the compromised account and lets them monitor emails and other sensitive activities.
With this approach, the attackers were able to send a reply to real correspondence about a financial transaction in order to attempt to redirect payment into their own account.
This serves as another example as to why it’s important to never let your guard down about security.
It’s important to be aware of AitM phishing, and we recommend good computing habits online. Especially, exercise caution when clicking on links in emails that take you to web pages and before opening unknown files.
As always, if we can be of help with your network and computer security, give us a call here at RHYNO Networks. (855) 749-6648
