One suggestion that stands out above the rest in terms of access security is multi-factor authentication ( MFA ). Since hackers can easily crack passwords on their own, MFA offers a crucial layer of defense against breaches. It’s crucial to keep in mind that MFA is not impenetrable. It is frequently possible to avoid it.

Hackers with compromised passwords have a number of options for getting around MFA’s added security. We’ll go over four social engineering strategies that successful hackers can use to break into MFAs and emphasize the value of layering defense with a strong password.

1. Attacks known as “adversary-in-the-middle” (AITM)

Users are tricked into thinking they are logging into a legitimate network, application, or website during AITM attacks. However, in reality, they are entrusting a fake lookalike with their information. Hackers can use this to manipulate security measures, such as MFA prompts, and intercept passwords.

A spear-phishing email, for instance, might show up in an employee’s inbox and pose as a reliable source. They are taken to a fake website where hackers gather their login information by clicking on the embedded link.

Hackers can use a method known as “2FA pass-on,” even though MFA should ideally prevent these attacks by requiring an additional authentication factor. The attacker immediately enters the same information on the real site after the victim has entered their credentials there.

The victim anticipates and readily accepts the legitimate MFA request that results, unintentionally giving the attacker full access.

Threat organizations like Storm- 1167, which are known for creating fictitious Microsoft authentication pages to steal credentials, frequently employ this strategy.

Additionally, they design a second phishing page that imitates the Microsoft login MFA step, asking the victim to enter their ownMFA code and let the attackers in. They can then use a legitimate email account as the starting point for an extensive phishing attack after gaining access to it.

2. prompt bombing by MFA

This strategy makes use of contemporary authentication apps ‘ push notification functionality. Attackers attempt to log in after compromising a password, sending the legitimate user’s device an MFA prompt.

To stop the notifications, they rely on the user either accepting it after mistaking it for a real prompt or growing impatient with persistent prompts. MFA prompt bombing, a method, is extremely dangerous.

In a well-known incident, the 0ktapus group’s hackers used SMS phishing to crack the login information of an Uber contractor before continuing the machine-controlled authentication process and asking for an MFA code right away.

The contractor was then persuaded to accept the MFA push notification on their phone by them pretending to be an Uber security team member on Slack.

3. attacks on the service desk

Attackers use phone calls to pretend to have forgotten their passwords in order to trick help desks into avoidingMFA. Service desk staff members run the risk of unintentionally opening the door for hackers into their company’s environment if they do n’t strictly enforce the necessary verification procedures.

A recent instance is the MGM Resorts attack, in which a ransomware attack was launched after the Scattered Spider hacker group fraudulently attempted to reset the password at the service desk.

Hackers also use service desk manipulation to get around MFA in an effort to take advantage of recovery settings and backup procedures. If prompt MFA bombing is unsuccessful, 0ktapus have been known to turn to attacking a company’s service desk.

They will ask to sign up for a new, attacker-controlled MFA authentication device after contacting service desks and claiming their phone is broken or lost. By sending a password reset link to the compromised device, they can then take advantage of the company’s recovery or backup procedure. Concerned about security gaps at the service desk? Find out how to keep yours safe.

4. switching SIMs

Cybercriminals are aware that MFA frequently uses mobile devices for authentication. They can take advantage of this by using a “SIM swap” technique, in which service providers are tricked into giving them control over the transfer of services from one target to another. The target’s cell service and phone number can then be effectively taken over, allowing them to intercept MFA prompts and access accounts without authorization.

Microsoft released a report outlining the strategies used by the threat group LAPSUS$ following an incident in 2022. According to the report, LAPSUS spends a lot of money on social engineering campaigns to establish connections with the intended organizations. They frequently use SIM-swapping attacks on users, MFA prompt bombing, and help desk social engineering to reset a target’s credentials.

Password security is still important, so you ca n’t completely rely on MFA.

There were other ways to get around MFA besides this one. There are a number of additional methods as well, such as deviating from the norm, exporting generated tokens, utilizing SSO, and identifying technical flaws. It is obvious that organizations cannot completely forget about password security after establishingMFA.

Still, weak or compromised passwords are frequently the first sign of account compromise. An attacker can shift their attention to getting around the MFA mechanism once they have a working password.

If a password has been breached or reused more than once, it can no longer protect users. Additionally, going completely passwordless wo n’t be practical for the majority of organizations.

Strong Active Directory password policies can be implemented by using a tool like Specops Password Policy to get rid of weak passwords and keep an eye out for password compromises brought on by phishing attacks, password reuse, or being sold.

As a result, MFA is made sure to act as an extra layer of security as intended rather than being the only option. Please get in touch with us if you’re interested in learning more about how Specops Password Policy can meet the unique needs of your company.

New Research Exposes Significant SaaS Vulnerabilities: How Nation-State Actors Target Your Business(Opens in a new browser tab)