The FBI is warning about an attack that bypasses multi-factor authentication

Recently, the Federal Bureau of Investigation, Cyber Division sent out a Private Industry Notification (PIN) to warn about cyber criminals using social engineering and technical attacks to circumvent multi-factor authentication (MFA).

The FBI still recommends that companies use MFA, stating “Multi-factor authentication continues to be a strong and effective security measure to protect online accounts, as long as users take precautions to ensure they do not fall victim to these attacks.”

Instead, this alert is meant to ensure that users of MFA know that cyber-criminals have found some ways to circumvent multi-factor authentication, and some ways that users can protect themselves.

For example, users should choose a strong MFA solution that is not vulnerable to social engineering tricks such as SIM swapping, or transparent proxies that can intercept the MFA token.

Please see our blog on 2FA for more information

Some past incidents of MFA bypasses were included in the FBI released PIN:

• In 2016, some customers of a US banking institution were targeted by a cyber attacker using the SIM swap method. The attacker contacted the customer service departments of phone companies that bank customers used in an effort to obtain the information necessary for the criminal to complete the SIM swap. Some phone company representatives gave out the information and the attacker was then able to take control over the customers’ phone numbers. The attacker then called the bank to request a wire transfer from the victims’ accounts to another account that the criminal owned. The bank, recognizing the phone number as belonging to the customer, didn’t ask any security questions and requested a one-time code be sent to the phone number from which the criminal was calling. The criminal also requested to change PINs and passwords and was able to attach victims’ credit card numbers to a mobile payment application.

This has been a continuing occurrence, as in 2018 and 2019 the FBI’s Internet Crime Complaint Center continued to see attacks of this nature happen. Victims of these attacks have their phone numbers stolen, their bank accounts drained, and their passwords and PINs changed. Many of these attacks rely on the attackers socially engineering customer service representatives for major phone companies, who give out the information that the attackers need.

• In 2019, a US banking institution was targeted by a cybercriminal who was able to take advantage of a flaw in the bank’s website in order to circumvent the two-factor authentication implemented to protect accounts. The attacker logged in with stolen victim credentials and, upon reaching the secondary page where the customer would typically need to answer security questions, the attacker entered a manipulated string into the Web URL. This change allowed him to bypass the PIN and security question pages and to initiate wire transfers from the victims’ accounts.

Some possible MFA bypasses were also included in the FBI released PIN:

• At the RSA Conference in San Francisco that was held in February 2019, a cyber security expert demonstrated a large variety of schemes and attacks that cybercriminals could use to circumvent multi-factor authentication. The expert presented real-time examples of how attackers could use man-in-the-middle attacks and session hijacking in order to intercept the traffic between a user and a website to conduct these attacks and maintain access for as long as possible.

•The PIN also references the June 2019 Hack-in-the-Box conference that was held in Amsterdam. Cyber security experts demonstrated a pair of tools – Muraena and NecroBrowser – which are used in tandem to automate a phishing scheme against users of multi-factor authentication. The Muraena tool works by intercepting traffic between a user and a target website that the user is logging in to. Once the user has successfully logged in, NecroBrowser stores the user’s data and hijacks the session cookie. With this information, the cyber-criminal can then log into these private accounts, take them over, and change user passwords and recovery e-mail addresses, in order to make it more difficult for the user to regain access to their account.

Even with the ways cyber attackers have found to bypass MFA, attacks of this nature are rare.

Microsoft has stated that attacks that can bypass MFA are so out of the ordinary that they don’t even have statistics on them. In fact, Microsoft states that when MFA is enabled, it helps users to block 99.9% of all account hacks.

Google echoes a similar statement, claiming that users who added a recovery phone number to their accounts, which also indirectly enables a SMS-based MFA, greatly improved their account security. “Our research shows that simply adding a recovery phone number to your Google Account can block up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks that occurred during our investigation.” 

It’s safe to say that MFA is still a very effective preventative aid that keeps out most mass and automated attacks. However, users should also be aware that there are some ways those MFA solutions can be bypassed.

Therefore, it’s important to choose stronger MFA solutions (such as with biometrics or a YubiKey or equivalent) that are not vulnerable to social engineering tricks like SIM swapping, or transparent proxies that can intercept the MFA token.

As always, if we can be of help with your network or computer, give us a call here at RHYNO Networks. (855) 749-6648

Did you find this blog interesting? You may be interested in these blogs as well: