close
close

How Hackers Bypass MFA and What You Can Do About It

How Hackers Bypass MFA and What You Can Do About It

Google’s cybersecurity subsidiary Mandiant has fallen victim to a scammer earlier this yearAn attacker hacked the company’s X (formerly Twitter) account and defrauded a large number of users using cryptographic fraud.

It turns out that multi-factor authentication is not a foolproof solution, not even for cybersecurity companies, not even for regular users. Hackers can bypass MFA. In fact, there are many techniques that have been proven to be successful.

Advanced Malware and Data Theft

A Malwarebytes Labs researcher explained in January: Google’s MFA can be bypassed. In short, stealing an authentication token is enough. Hackers can do this by using a Trojan that steals information to collect data from the victim’s system. The consequences of such an attack can be serious, and even changing the password will not help the victims.

An example of this type of malware: Medusa Thief. It extracts data from hundreds of browsers, MFA apps, crypto wallets, and password managers. The tool is distributed via subscription to select hackers and receives regular updates to its signatures, making it difficult for antivirus programs to detect.

In general, data capture software is one of the most common methods of bypassing multi-factor authentication. This tactic is as old as the hacker world itself, but it remains effective.

With malware, attackers can also intercept emails and often obtain one-time access codes for targeted accounts. Users often do not see these messages and only realize their accounts have been compromised when it is too late.

Blocking notifications from an authenticator app on the victim’s smartphone works in a similar way. Spyware is installed on mobile devices to intercept SMS messages containing MFA data.

Keyloggers, which are installed on victims’ devices and record keystrokes as usernames and passwords are entered, are also frequently used to hack accounts.

Hackers used this method to access customer data on LastPass, a paid platform for storing passwords. To hack the LastPass storage, a keylogger on a personal computer “If LastPass is going to protect our passwords, who is going to protect the keepers?” one of the company’s engineers asked.

To bypass any authentication method, it may be enough to obtain someone else’s cookies. By infecting the victim’s device with malware FeelingAttackers can steal cookies associated with user authentication. What happens next depends on the hackers’ goals: they can use the data immediately or sell it en masse on the darknet.

Finally, hackers can impersonate a user order a new SIM cardFull access to messages is gained through authentication codes.

Social Engineering: Timeless Tactics and New Tricks

The world is changing, but the basic principles of online fraud remain the same. Many scammers still call and write letters to their victims, convincing them that their account has been hacked and they need to reset their password. Then it gets incredibly simple: the victim takes the reset code and unknowingly gives it to the attacker.

More and more criminal schemes are being deployed using phishing techniques through fake login pages and websites that capture your data, including your passwords and two-factor authentication tokens.

A more modern social engineering technique is MFA fatigue This method is also known as MFA push spam. This approach is highly effective and does not require significant investment in malware or phishing tools.

A typical MFA fatigue attack works like this:

  1. The user sets up the multi-factor authentication system to send push notifications.
  2. When someone tries to log in to their account, the user receives a notification on their mobile device to approve or deny the login attempt.
  3. The hacker runs a script that bombards the user with notifications around the clock.
  4. The overwhelmed user may eventually click on the login confirmation button, either accidentally or on purpose, to stop the endless push notifications.
  5. Some users decide to disable MFA completely.
  6. If this approach fails, the hacker may contact the user pretending to be from a trusted source and suggest that they follow a link in a specific notification or approve a specific login attempt.

Use MFA Wisely and Avoid Common Mistakes

As you can see, there’s a workaround for every security measure. The examples above are just a few of the ways hackers bypass multi-factor authentication.

However, it is not advisable to forego MFA. It remains an effective tool for securing credentials. The longer and more complex the attacker’s path to their target, the lower the likelihood of a successful attack.

Here are some tips to avoid scams and stay safe when using MFA:

  • Only approve MFA notifications that you expect. If you receive a push notification or SMS code that you did not initiate, do not approve.
  • Use authentication apps (Like Google Authenticator) It is more secure and less susceptible to tampering than SMS-based MFA.
  • Check your account activity frequently for unauthorized logins or changes. Most services offer the option to view recent login activity.
  • Be wary of phishing techniques that trick you into providing MFA codes. Never click on links or follow instructions from unsolicited messages.
  • Turn on notifications for changes to your account, such as password resets or MFA changes, so you can quickly respond to unauthorized actions.
  • Combine MFA with strong, unique passwords for each of your accounts.
  • Keep your operating systems, browsers, and security software up to date to protect against malware that could steal your authentication tokens.
  • Make sure all your devices are secured with passwords, PINs or biometric locks, and install reliable antivirus software to detect and block malware.