June 29, 2021
2 Sneaky Attacker Tricks for Taking Over Risk-Based Multifactor Authentication
Multifactor authentication, which restricts attackers from capitalizing on the use of compromised credentials, has been on the rise. Learn more in this blog
Enterpriseslarge and small have utilized various means to secure someone's digitalidentity, and credentials are the starting point. F5 Labs 2021Credential Stuffing Report indicatesthat 1.8 billion credential sets were spilled in 2020 alone. Such a huge stashof credentials is a massive threat to digital identities. An effectivemitigation strategy to this threat that various regulatory bodies and securitypractitioners recommend is to enforce multifactor authentication (MFA).
MFA, whichrestricts attackers from capitalizing on the use of compromised credentials,has been on the rise. It requires the user to provide two or more differenttypes of factors. Typically, it's something the user knows (suchas a password) and something the user has. The second factor isusually a code sent via text message, a hardware token or a dedicatedmultifactor authentication app. After entering a username and password, theuser must enter the code to complete the login.
However, itis worth noting that not all authentication systems are created equal, andunsuspecting users can be tricked into providing the second factor. Socialengineering is a prevalent way of getting a user to divulge the second factor,but fraudsters have also employed technologically sophisticated ways to bypassMFA. This article evaluates two tricks attackers use to game authenticationsystems.
Trick 1:Capitalizing on Trusted Sessions
No doubt, theuser experience suffers because of MFA. To make this less inconvenient forcustomers, many websites employ techniques to identify a user device andregister the information after the user provides a second authentication factorand consent to trust their device. Once registered, transactions from thosedevices are deemed safe.
For example,an e-commerce website establishes trust with a user device by enforcing MFA onthe first logon. It then subsequently allows transactions from this trusteduser device, which may include credit card details stored in a user's profile.This improves the experience for the user, who is not forced to provide asecond factor for every transaction. However, any deviation from the user'sstored risk profile, such as a known user logging in from a new device,initiates a multifactor verification.
Typically, once a device is identified, the information is stored in the form of a cookie on the client-side, which will be used to identify the device on the server-side. A known device is supposedly less risky and does not trigger additional authentication. Fraudsters understand this process, and there is a thriving marketplace named Genesis Store that helps enable these bad actors. For example, a fraudster can obtain device fingerprints and associated cookies and credentials with ease, as shown in Figure 1.
Figure 1. Genesis bot for sale with access to 467 digital resources.
An analysisof data collected from January through May 2021 from a leading financialinstitution showed fraudsters making targeted attacks using Genesis. About1,500 requests were aimed at either logons or change password requests using aGenesis plugin that spoofed the attacker's device as the customer's device.These requests, which produced around 900 unique browser fingerprints, werecrafted to trick the financial institution's antifraud solution and topotentially prevent triggering multifactor authentication that the attackermight not have access to.
Trick 2:Using Real-Time Phishing Proxies
In the 2020 Phishingand Fraud Report, F5Labs researchers noted a rise in the use of real-time phishing proxies (RTPP).Simply put, RTPP is a different take on phishing. Instead of setting up fakewebsites, fraudsters use a person-in-the-middle technique that interceptsusers' transactions on the genuine website.
Traditionalphishing attacks are asynchronous in nature, as the fraudster's objective is tocollect credentials and utilize them at a different time. MFA-enabled accountsare a dampener to these phishing attempts, as they usually rely ontime-sensitive tokens that cannot be reused. RTPPs transform phishing fromasynchronous to real-time, enabling attackers to capture MFA codes or theauthenticated session cookies. Armed with these, fraudsters can impersonate agenuine user and complete transactions.
F5 Labs, along with Shape Security researchers, analyzed one such campaign targeting a financial institution. In this attack campaign, cybercriminals set up a spoofed domain and lured customers to access it using various phishing techniques. During the four-week period in which F5 studied the active attack campaign, researchers spotted an interesting anomaly about the devices. This threat actor group was limited to real devices and more than 55,000 attempts were made for 4,127 accounts from a single device. The attackers used a few other devices, but the account-to-device ratio was disproportionate. Table 1 shows the account-related details of five unique devices used in this campaign.
5 tips toprevent MFA attacks
Multifactor authentication enhances security for online accounts and makes it more difficult to compromise an account. But it diminishes the user experience, and businesses often design easier paths based on risk assessment. Fraudsters and attackers are on the lookout for these easy paths and employ a range of techniques to bypass MFA controls. This makes it essential to understand the threat landscape and implement MFA accordingly.
- Tie MFA to specific transactions and adopt a risk-based approach
- Analyze affinity of account-to-device and device-to-account to spot anomalies
- Deploy controls to check if an endpoint is trying to spoof its fingerprint
- Detect automated transactions
- Train users to treat credentials and MFA codes as confidential