When it comes to Phishing attacks, most of us are no strangers. Whether you work for a large or small organization, the attacks are relentless and ever-changing.
Although every-day users have made great progress when it comes to identifying phishing attempts, recent attacks on large multi-national firms show us that these attempts are becoming more sophisticated and include complex schemes – like abusing Multi-Factor Authentication. Below we’ll walk you through these complex schemes, how they work, and how to mitigate them:
- What is Multi-Factor Authentication?
- Why Is MFA So Important?
- How do I Enable MFA?
- MFA Hacker Tactics
- 4 Tips to Mitigate Risk
- The Time to Protect Yourself is Now
- How Can Vista Help?
What is Multi-Factor Authentication?
You’re likely seeing articles all over the internet about a simple solution you can enable to add a layer of security to the accounts you use online. This is called 2FA (2-factor authentication) or MFA (Multi-factor authentication). It is an authentication method that grants access to a website or application, only after successfully presenting two or more pieces of evidence (or “factors”) to an authentication mechanism.
Why Is MFA So Important?
After years of thwarting many bad actors, the days of MFA being foolproof are no more. That’s right, attackers have found a way to exploit this security method by using tactics called “MFA Fatigue” and “SIM Swapping”. Both tactics are becoming more popular and highly effective to breach a device or network. Some services using a simple temporary text code or email verification are even easier to exploit as an attacker can gain access to an email account or mobile device with a few phishing toolkits that are available for little-to-no cost on the darkweb.
How Do I Enable MFA?
The process is as simple as going into the settings of your account where you will change your login information. It’s typically a checkbox that then initiates a pop-up window with a QR Code. From your favorite authenticator app (Google Authenticator, Authy, Cisco DUO, Microsoft Authenticator, etc.) opt to add a new account, which will initiate the camera for you to point at the QR Code. This will generate a TPC (Temporary Pin Code) that is good for 30 seconds. This expiration time is an additional layer of security that makes it difficult to successfully share the TPC with someone else. Most websites and applications have this feature built-in today. It is highly recommended that you use MFA if you have the option.
MFA Hacker Tactics
Let’s take a deep dive into the tactics mentioned above so you can better protect yourself from hacker scams.
MFA Fatigue
To put it simply, hackers flood their target with connection requests until the target accepts, granting them access. How could someone accidentally do that, right? It happens more than you would think – even to a company as big as Cisco:
This year, the Yanluowang threat group found a compromised Google Account belonging to a Cisco employee. That employee had saved passwords synced through their Chrome browser and also had access to a VPN Connection into Cisco’s environment. Once the threat group had access to that employee’s account information, they overloaded the VPN with connection requests which in turn initiated a temporary code (MFA) request. This is where the MFA Fatigue came into play. They sent a high volume of push requests to the target’s mobile device until the user accepted, either accidentally or simply in an attempt to silence the never-ending push notifications they were receiving. Once this acceptance occurred, the attackers were in. The takeover of their Cisco account was underway, and the rest is history.
What To Do If You Suspect MFA Fatigue on Your Device
Unfortunately, there is nothing else a user can do aside from ignore the flood of push requests and change their password. If the bad actor gets to the MFA stage, that means your password has been compromised on that account and it needs to be changed right away. Some MFA applications have enabled multiple request blocking, meaning if they get 5 requests in 60 seconds, it will block more requests and stall the bad actor from continuing, but as of today, this is only on Microsoft MFA (although, we assume this feature will be added to other platforms in the future).
SIM Swapping
This is another tactic gaining popularity in the underbelly of the internet. This scam begins with a bad actor gathering personal details about a victim, either by phishing emails, buying from combo-lists on the darkweb, or by directly social engineering the target. Armed with all of this background information, the bad actor will pretend to be the victim, contact the victim’s mobile phone provider, and ask to port the phone number to the fraudster’s SIM of choice.
Once the telecom provider is convinced they are speaking with the actual owner of the account, they initiate the transfer, and the real user has no idea until hours later because their phone will continue to work for a short time while the port is processing.
What To Do If You are a Victim of SIM Swapping
At this point, the bad actor has the desired phone number they need to obtain the Temporary Text Code of the website or service where they are attempting to login. The legitimate user should call their bank and halt all transactions and request that their login information be reset. Any other service tied to their mobile device should be reset as well. SIM Swapping can easily lead to identity theft because stolen phone numbers are usually tied to many more services than we initially realize.
4 Tips to Mitigate Risk
1
Employee Training
Unfortunately, we (as humans) are the biggest vulnerability. Mistakes can and will happen - it’s natural. The best way to reduce the risk is through education and proper, on-going training. Employees should know to immediately notify their company’s IT team upon receiving any type of push notification that was not initiated by them - even if the message appears to come from an internal source.2
Push Request Limitations
Another layer of defense is to implement a mechanism that limits the authentication to any account that appears to be hit with continuous push requests.3
MFA Number Matching
Risk can be reduced even further with the use of number matching, which involves the targeted user being required to enter a number (or series of numbers) that is being displayed on the device before “approving”. If the victim is unable to see the number at the time, then they will not be able to approve the request.4
First Identity Online (FIDO2)
One more layer of protection could include authentication through hardware security keys, which don’t expose the same type of vulnerabilities for phishing and notification spam.
The Time to Protect Yourself Is Now
Audit how you manage your important logins such as banking, mortgage, credit cards, corporate access, personal email, and data. First, enable MFA (preferably with an authenticator app over text codes). Next, if you haven’t changed your password in the last 6 months, consider doing so. Use complex and lengthy passphrases. If you need to, invest in a password manager to help produce and manage all of these complex passwords. For personal use, this investment may cost less than a cup of coffee and can save a ton of headaches in the future.
How Can Vista Help?
Understanding your security posture in today’s ever-changing vulnerability landscape can be challenging. If your organization has interest or questions about the suggestions in this article, or if you would like to discuss another approach, we’d love to hear from you. At Vista, we’re happy to offer our expertise and help you navigate the path to a secure and assured future.
