Even with MFA Enabled, Password Security Still Matters! 

 

1. Adversary in the middle (AITM) Attack

AiTM attacks are similar to what we’ve seen from hackers in the past, with a unique new spin. Hackers are creating fake websites that look almost identical to legitimate websites. These fake websites are used to deceive users into believing they are logging into a real account. Users will enter in their login credentials into the hacker’s fake website, and as soon as hackers see the credentials are entered, they use those credentials to log in to the actual website, which will trigger the multifactor authentication email or text message or phone alert to get sent to the user. The user then enters in the code on the fake website, which the hackers then use as the code to log in to the actual website

 

Prevention: These fake websites are typically sent out via phishing emails, or spear phishing emails. Spear phishing is a form of phishing that targets specific individuals or organizations. The most basic solution for preventing yourself from falling victim to this form of an AiTM attack is not clicking the link in the email. When users receive emails with a link to view or sign into an account, don’t use the link in the email to get to the log in page. Open up a new tab or window in the browser and type in the URL, or Google search the company to find the login page, or even open up the mobile application to sign in. 

Just DON’T CLICK THE LINK!

 

2. MFA Prompt Bombing / MFA Fatigue Attack

Some mobile applications offer multifactor authentication in the form of a notification being sent to a smartphone, which opens the mobile application and gives the user the option to approve or deny the login attempt. MFA Prompt Bombing is a tactic hackers have started using after compromising a password (through the usual methods of phishing emails, etc). The hacker will attempt to log in to a user’s account, which sends the user’s phone the notification for approval. The user may find it rather unexpected, so they deny the notification. The hacker will then attempt to log in again, sending a second notification to the user’s phone. The user denies it again.  The hacker will continually attempt to log in, spamming the user with MFA notifications, hoping that eventually, the user will either click approve by accident or get so fed up with the notifications, that they click approve to make it stop.

 

Example: In one instance, when Uber was hacked in 2022, an external contractor was on the receiving end of the MFA Prompt Bombing received a message on WhatsApp from the attacker, pretending to be Tech Support. The message advised the user to accept the MFA prompt. This message is what caused the attack to be successful.

 

Prevention: If a user finds themselves in the middle of an MFA Prompt Bombing attack, it is likely that the hacker already knows the user’s password – if they didn’t have the correct password, they wouldn’t progress to the MFA screen. Rather than just denying the login attempt over and over again, hoping it will stop, try logging into that account and changing the password. Ideally, that would stop the prompt bombing because the hacker would no longer have the correct password.

 

3. Service Desk Attacks

Hackers have learned they can bypass MFA by making phone calls to a help desk phone number, pretending to be a user who has forgotten their password. If the service representative on the phone does not enforce the proper verification procedures, they may grant access to hackers.

Example: The hackers behind the recent MGM Resorts attack used this method, calling to reset a password. The representative unknowingly gave the hackers access to their network, where they were able to upload malware to launch a ransomware attack.