How Hackers Beat Multi-Factor Authentication (MFA) using Enhanced Techniques and MFA Fatigue

What is Multi-Factor Authentication (MFA)?
Threat actors have long been using stolen usernames and passwords to gain unauthorized access to various personal, business, and government resources until MFA.

Multi-Factor Authentication (MFA) uses biometrics, SMS messages, or mobile applications to verify a user trying to log in to email, cloud file shares, and social media to name a few. According to the Microsoft article “Your Pa$$word doesn’t matter”, user accounts are 99.9% less likely to be compromised using multi-factor authentication. (1)

With this statistic in mind, it’s not surprising that threat actors have been focusing their efforts on bypassing MFA.

MFA Attacks You Should Be Aware Of

SIM Swapping
SIM is an acronym for Subscriber Identity Module, a small card in your mobile phone used to connect to your mobile service. SIM swapping, also called SIM Hijacking, occurs when a hacker makes a copy of your SIM card and registers it with your mobile service provider. The hacker proceeds to sign on to one of your online services like banking, email, and file sharing, to name a few. The sign-on triggers an MFA challenge asking for a code, but now the hacker receives the code instead of you.

SIM Swapping is not new. In 2019, the “Chuckling Squad” Threat Actor (TA) group used a simple text-to-tweet service to take over Twitter CEO Jack Dorsey’s account. The hackers used Twitter’s text-to-tweet service, operated by Cloudhopper. Using this service, Twitter users could post tweets via text messages to a short code number, usually 40404. (2) Chuckling Squad used Jack Dorsey’s account to send offensive messages to 4.2 million followers. This incident is a reminder of how insecure phone-based authentication is.

MFA Fatigue
MFA Fatigue is the result of bombarding victims with smartphone notifications to trick them into granting access to an online account. The attack is effective by either the victim inadvertently approving the request or becoming frustrated with notifications and knowingly approving the request.

MFA attacks are made possible through compromised credentials (stealing the victim’s usernames and passwords). A typical user requires multiple usernames and passwords to access their various online services. Often these services are compromised, leading to the theft of user credentials. Once threat actors have a username, they have sophisticated tools to determine a valid password.

How to Stop MFA Attacks

Detecting SIM Swapping
Here are some of the signs of a SIM Swapping attack and actions to consider:

  1. You can’t make calls or send a text. Threat actors may have deactivated your SIM card and used your phone number. Immediately contact your mobile carrier and your information security department to report the issue.
  2. The inability to access your account indicates that your username or password may have been changed. Contact the providers to make them aware you can no longer access your account and verify any recent account activity.
  3. There are transactions you don’t recall. If this is a bank or credit card account, cybercriminals may have made unauthorized purchases; immediately contact the provider and verify all recent activity.

Detecting an MFA Fatigue Attack
Generally, this attack occurs using a mobile application. Once the threat actors have a victim’s credentials, they flood the victim’s phone with authentication request notifications. You should never be surprised when you receive an authentication request. If that happens, make sure you do not approve the request. If you’re able, change your password and let your service provider or information security team know what has happened. Remember, threat actors, are trying to trick and frustrate you into approving, don’t do it.

According to the FBI, Multi-Factor Authentication continues to be a strong and effective security measure to protect online accounts, as long as users take precautions to ensure they do not fall victim to these attacks.

While MFA attacks are rare, the threat is very real.

If you would like to talk to us about this article or have questions about the resistance of your organization’s cybersecurity posture, please contact us via the form below and one of our trusted team members will get back to you. 

(1) “Your Pa$$Word Doesn’t Matter.” TECHCOMMUNITY.MICROSOFT.COM, 8 May 2022

(2) Brandom, Russell. “The Frighteningly Simple Technique That Hijacked Jack Dorsey’s Twitter Account.” The Verge, The Verge, 31 Aug. 2019

(3) “FBI Cyber Bulletin: Cyber Criminals Use Social Engineering and Technical Attacks to Circumvent Multi-Factor Authentication: Public Intelligence.” Public Intelligence, 7 Oct. 2019

Knowledge Base

Digital Forensics, AKA eDiscovery, in a Cyber Security Context

Written by Thibault Dambrine and Laura Smith  Introduction When a cyber breach occurs, it is almost always accompanied by data...

Read More +

Incidentally Informed – Cyber coverage and incident response

During our webinar we discussed “cyber coverage and incident response”. Our Panelists Mikel Pearce – General ...

Read More +

Incidentally informed – compliance issues in ransomware claims and the pitfalls

During our webinar we discussed “compliance issues in ransomware claims and the pitfalls”. Our Panelists Mikel Pear...

Read More +
CyberClan CyberClan CyberClan CyberClan