Legacy MFA are solutions such as OTP over SMS and OTP via mobile apps that are 20-year-old technology. While using this technology is better than no-MFA, cybercriminals have developed sophisticated techniques and tools that regularly defeat legacy multifactor authentication (MFA). MFA significantly enhances account security, but not all MFA is created equal, and attackers are exploiting human vulnerabilities resulting in billions of dollars of losses. Here are the most common TTP used by cybercriminals.
This is the simplest of attacks. Cybercriminals trick users into entering their credentials and MFA codes into fake login pages that are indistinguishable from the real thing. It starts with a user receiving a phishing email that directs them to a credential-stealing website. After the user enters their credentials and the MFA code, the attacker uses them to login to the legitimate website. Modlishka or Evilginx are phishing tools found on the dark web that are used to execute these types of attacks.
In this attack, cybercriminals flood the victim's device with repeated MFA approval requests via push notifications. After the attacker gains the username and password, remember there are billions of these on the dark web, they simply make repeated attempts to log in. Many times, the victim will approve one of the requests out of exhaustion or confusion.
The hackers lure victims to websites that appear identical to legitimate websites with full functionality. In reality, the victim is interacting with a malicious website but everything appears normal. The cybercriminals set between the victim and the legitimate website intercepting all the communication and then acting as the user to conduct whatever harmful activities they wish.
This attack is far more common than most would imagine. Attackers convince the victims mobile carriers to transfer a victim's phone number to a SIM card under the attacker's control. After the phone number is hijacked and enabled on another device, the cybercriminal intercept SMS-based MFA OTP codes and use them to gain access.
Many legacy MFA solutions offer backup methods, such as email or security questions, which are significantly ess secure. In this attack, the cybercriminals target less secure backup options by exploiting compromised email accounts or answering security questions using information about the victim scraped from the web.
After a legitimate user has logged in using their credentials and their organization’s MFA method, the cybercriminals steal the authenticated session cookies to bypass the need to login again using MFA. In this attack, the cybercriminals use a Man-in-the-Middle (MitM) attack method (sitting secretly between the user’s device and the server) to intercept session cookies among other information. These cookies can then be used to gain access to authenticated sessions, meaning accessing the network and data, without triggering the need to authenticate again.
This technique is more Old School and often relies on direct communications with the victim via telephone. In this attack, the cybercriminals deceive the victim into providing the legacy MFA OTP code directly to them. The most common scenario is for the attacker to pretend they are from the organization’s IT support or another trusted party and who must have the victims code for an important business purpose.
Other Attacks Methods
There are several other attack methods that hackers use to bypass legacy MFA. These include Brute Forcing MFA Codes, Malware and Keyloggers, Using Stolen Recovery Codes, and API Exploitation. Phishing-resistant, next-generation MFA is not vulnerable to any of these types of attacks and delivers a significant improvement in access security.