Phishing is a type of fraudulent cyberattack in which threat actors deceive, manipulate, or trick users with the motive of stealing sensitive information. Various Social Engineering tactics are used to exploit users who fall for them.
Such phishing attacks often get mitigated by Two factor Authentication, a form of Multi-Factor Authentication. It requires users to provide two or more authentication methods rather than relying solely on a password to gain access to systems. Combined with an SSL certificate that encrypts sensitive transactions, MFA strengthens communication security and user authentication.
For business leaders, MFA Bypass is a serious concern because such initial access points can enable severely damaging actions, such as lateral movement within networks. This unauthorized access could lead to complete loss of access, user impersonation, and data theft, resulting in huge financial losses and reputational damage.
This article provides an in-depth review of various MFA/2FA bypass attack types, recommending a prioritized strategy to counter them.
How Modern Phishing Bypasses 2FA
Two factor authentication or multi-factor authentication enhances security by requiring two types of credentials, typically something you already know, like a Password or PIN, with something you have, like a time sensitive code, hardware token or Fingerprint. This means that even if the password gets compromised, a second unique factor is required to authenticate.
This has dramatically raised the bar against passwords because it addresses the weakness of relying just on a single factor. It requires a threat actor to compromise independent authentication types, making unauthorized access harder.
However, attackers have still developed techniques to bypass these security measures through phishing. Let’s discuss some of those tricks:
Phishing Proxies & Reverse Proxies
This has become a top method for real time credential and OTP theft. The core function of a reverse proxy in a phishing attack is to place a malicious server between the victim and the legitimate website. When the victim enters credentials and completes 2FA/MFA, it is relayed to the attacker at the same time. With this session cookies and credentials, the attacker hijacks and locks out the victim.
OTP theft is primarily facilitated by Adversary-in-the-Middle kits for sophisticated attacks. These kits streamline the process, making it easy for malicious actors regardless of their technical skills.
MFA Fatigue / MFA Bombing
Another form of social engineering that exploits human behavior, rather than technical flaws. Bombarding users with repeated requests so that victims become frustrated or confused, limiting their critical thinking.
Many high profile breaches, including the Uber data breach in 2022, were a part of MFA fatigue, where the attackers were bombarding an employee for more than an hour. It is more of a psychological manipulation rather than an annoying amount of pressure or requests.
Session Token Theft in Phishing Kits
Phishing kits today focus on stealing session tokens or cookies rather than just passwords or OTPs. This allows attackers to bypass MFA entirely and impersonate the victim, making it harder to detect. Advanced phishing kits like Evilginx and Tycoon 2FA can steal the session token and gain full access since they possess the key to the ongoing session.
SIM Swapping in Phishing Campaigns
It is often done using social engineering or manipulation. A form of Account Takeover attack could happen if the cellular carrier doesn't do proper verification. Once it happens, all SMS messages like OTPs or MFA codes are sent to the attacker's device, bypassing the original user. Also, new technologies like eSIMs using over the air profile downloads make it difficult to detect.
Real World Impact of Phishing-Based MFA Bypass
Successful bypass of MFA/2FA will lead to severe consequences of real world impacts for organizations and individuals. Threat actors may gain unauthorized access to accounts and networks, enabling them to steal high value assets. If a data breach happens, then malicious actors will gain access to sensitive data, exposing the database of millions of users.
Financial consequences of MFA bypass attacks are immediate, affecting both businesses and individuals. Fraudulent fund transfer or Business Email Compromise could happen, potentially costing millions of dollars.
Attackers could even deploy ransomware and encrypt important files and demand ransom to restore access or to avoid leaking it.
Breach of MFA can cause damage to the company's brand reputation and customer relations, especially in finance, healthcare and government. Violating regulations like GDPR, HIPAA, and PCI DSS may attract huge penalties, require public disclosures, and even impose sanctions.
Mitigation Strategies to Prevent 2FA Bypass
Preventing Multi-Factor Authentication bypass requires a layered and adaptive security strategy.
Adopt Phishing-Resistant MFA: This type of MFA uses Asymmetric Cryptographic key pairs stored securely on the user's device. Using Hardware security keys, device-bound passkeys or authentication methods like FIDO/WebAuthn, which use biometrics.
Rather than using OTP codes, this works by generating a key pair bound to the web origin/domain. If an attacker tricks a user into using a phishing domain, the authentication will fail since it lacks the necessary key of the domain.
Detect and Block Phishing Proxies: By monitoring the behavior, we can detect any unusual user interactions or sequences. It can be enhanced using techniques like Origin Binding and TLS fingerprinting.
Origin binding is cryptographically linking authentication tokens to a specific web origin or domain. Responses from the legitimate domain only will be valid, preventing attackers from replying to requests through a proxy.
TLS Fingerprinting examines unique characteristics of a client's Transport Layer Security handshake. It verifies supported cipher suites and extensions to identify proxies that exhibit different TLS fingerprints if used for phishing.
Smarter Push Protections: Setting limits on push requests sent within a specific time frame can prevent attackers from flooding users to authenticate. Also informing users about the device, requesting a timestamp, and IP address, helps to identify strange login attempts before approving.
Organizations can monitor for abnormal volumes or patterns of push requests and automatically trigger alerts. This can significantly reduce the push-based MFA bypass attacks and improve authentication.
Monitor Authentication Signals: Detecting anomalies, such as reused tokens, helps to understand suspicious activity. Also watch for the same tokens used from different geographic areas, which is impossible to travel and is likely to be a token replay attack.
Use short expiry tokens with refresh token rotation and to detect reuse, implement a time limit to find exposed tokens.
Also, use behavior analytics to spot deviations in login patterns like unusual time, locations, or changes in devices to trigger adaptive authentication.
User Training using Incident Playbooks: As the human element becomes crucial in Phishing attacks, to prevent and respond quickly to MFA bypass attacks, user training is essential.
This training can focus on recognizing fake pages by checking HTTPS indicators and being cautious of unexpected requests or unusual branding. Also, train users on multiple channels like emails, SMS, and chat apps to reduce the attack surface. Create awareness of fatigue attacks, false approval dangers, and encourage cautious handling of MFA requests.
Organizations can create an easy one click report button to enable fast reporting of phishing attacks or any suspicious activity inside systems.
Conclusion
Preventing phishing-based MFA bypass requires moving beyond traditional OTP methods.
Organizations are encouraged to assess their current authentication mechanism and identify potential vulnerabilities. They should work towards implementing the phishing resistant MFA solutions. The Policy of Zero Trust Architecture is fundamental for advocating the principle of "trust no one, verify everything".
Taking necessary steps will reduce the risk of sophisticated phishing attacks and authentication bypass, which leads to consequent security risks.
