In a warning issued by the Federal Bureau of Investigation’s (FBI) cyber division private industries have been warned about attack able to bypass multi-factor authentication (MFA). According to the law enforcement agency, this is done through a combination of social engineering and SIM Swapping tools elaborated upon at a developer conference in June 2019. The warning specifically warns private industries and individuals about attacks using SIM swapping, vulnerabilities in online pages handling MFA operations, and the use of transparent proxies like Muraen and NecroBrowser. These tools when used in conjunction correctly can bypass soft forms of MFA, with the first being able to intercept login credentials and the later storing the data and hijacking the session cookie to log into now compromised accounts.
Within the report the FBI went on to list a number of examples witnessed by law enforcement of attacks effectively bypassing MFA. The first listed occurred in 2016 when customers of a US banking institution were targeted by a hacker who ported phone numbers to a phone he owned, in other words, a traditional SIM swap attack. The FBI further elaborated that,
“The attacker called the phone companies' customer service representatives, finding some who were more willing to provide him information to complete the SIM swap. Once the attacker had control over the customers' phone numbers, he called the bank to request a wire transfer from the victims' accounts to another account he owned. The bank, recognizing the phone number as belonging to the customer, did not ask for full security questions but requested a one-time code sent to the phone number from which he was calling. He also requested to change PINs and passwords and was able to attach victims' credit card numbers to a mobile payment application.”
During the course of 2018 and 2019, the cyber division received numerous complaints from victims of attacks were it appeared that MFA was bypassed, often resulting in bank accounts been compromised and funds fraudulently transferred. In one instance a hacker logged into a targeted institution's banking portal with stolen victim credentials and, when reaching the secondary page where the customer would normally need to enter a PIN and answer a security question, the attacker entered a manipulated string into the Web URL.
This bit of code changed settings to the extent that the hacker’s computer was treated as one recognized on the account. This allowed him to bypass the PIN and security question pages and initiate wire transfers from the victims' accounts.
The warning lists several other examples that make for interesting, and worrying reading, and a read of the warning is advised. Of particular interest are developments since the developer conference in Amsterdam regarding the SIM swapping tools listed above, to which the FBI noted,
“At the June 2019 Hack-in-the-Box conference in Amsterdam, cyber security experts demonstrated a pair of tools - Muraena and NecroBrowser - which worked in tandem to automate a phishing scheme against users of multi-factor authentication. The Muraena tool intercepts traffic between a user and a target website where they are requested to enter login credentials and a token code as usual. Once authenticated, NecroBrowser stores the data for the victims of this attack and hijacks the session cookie, allowing cyber actors to log into these private accounts, take them over, and change user passwords and recovery e-mail addresses while maintaining access as long as possible.”
MFA Still a Vital Security Measure
While the ability of certain threat actors to bypass MFA is worrying, instances are rare and the FBI went to great pains to reiterate that enabling MFA is still important. MFA, which can be broadly defined as any online security measure that requires more than one form of authentication such as a password and PIN, should be enabled wherever possible. Recent articles published by both Google and Microsoft illustrate how rare these attacks are despite the increase. Microsoft reported that MFA compromise attacks amount to 0.1% of the attacks affecting the general population. In Google’s article, they shared a very similar sentiment but went further, regarding the effectiveness and importance of MFA, to state,
“Our research shows that simply adding a recovery phone number to your Google Account can block up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks that occurred during our investigation,”
In summary, it is safe to say that enabling MFA wherever possible is still strongly advised. The rarity of these attacks as well as in the case of attackers using tools similar to Muraena and NecroBrowser still involves a lot of technical knowledge to pull off. When you compare the amount of attacks MFA effectively prevents versus the amount of MFA bypass attacks it would be silly thinking MFA to be completely compromised. For instance, if the MFA enabled a biometric authentication as well hackers will find it near impossible to bypass such a requirement.
To defend against such attacks measures can indeed be taken and the FBI advises that along with making employees and administrators aware of such attacks corporations can further:
- Educate users and administrators to identify social engineering trickery. This includes how to recognize fake websites, not click on rogue links in the e-mail, or block those links entirely, and then teach them how to handle common social engineering tactics.
- Consider using additional or more complex forms of multi-factor authentication for users and administrators such as biometrics or behavioral authentication methods, though this may add inconvenience to these users.