Basically sim swapping, man in the middle attacks and poor URL protections
FBI warns about SIM swapping and tools like Muraen and NecroBrowser.
“The FBI has observed cyber actors circumventing multi-factor authentication through common social engineering and technical attacks,” the FBI wrote in a Private Industry Notification (PIN) sent out on September 17.
Past incidents of MFA bypasses
While nowadays there are multiple ways of bypassing MFA protections, the FBI alert specifically warned about SIM swapping, vulnerabilities in online pages handling MFA operations, and the use of transparent proxies like Muraen and NecroBrowser.
To get the point across, the FBI listed recent incidents where hackers had used these techniques to bypass MFA and steal money from companies and regular users alike. We cite from the report:
- In 2016 customers of a US banking institution were targeted by a cyber attacker who ported their phone numbers to a phone he owned-an attack called SIM swapping. The attacker called the phone companies’ customer service representatives, finding some who were more willing to provide him information to complete the SIM swap. Once the attacker had control over the customers’ phone numbers, he called the bank to request a wire transfer from the victims’ accounts to another account he owned. The bank, recognizing the phone number as belonging to the customer, did not ask for full security questions but requested a one-time code sent to the phone number from which he was calling. He also requested to change PINs and passwords and was able to attach victims’ credit card numbers to a mobile payment application.
- Over the course of 2018 and 2019, the FBI’s Internet Crime Complaint Center and FBI victim complaints observed the above attack-SIM swapping-as a common tactic from cyber criminals seeking to circumvent two-factor authentication. Victims of these attacks have had their phone numbers stolen, their bank accounts drained, and their passwords and PINs changed. Many of these attacks rely on socially engineering customer service representatives for major phone companies, who give information to the attackers.
- In 2019 a US banking institution was targeted by a cyber attacker who was able to take advantage of a flaw in the bank’s website to circumvent the two-factor authentication implemented to protect accounts. The cyber attacker logged in with stolen victim credentials and, when reaching the secondary page where the customer would normally need to enter a PIN and answer a security question, the attacker entered a manipulated string into the Web URL setting the computer as one recognized on the account. This allowed him to bypass the PIN and security question pages and initiate wire transfers from the victims’ accounts.
- In February 2019 a cyber security expert at the RSA Conference in San Francisco, demonstrated a large variety of schemes and attacks cyber actors could use to circumvent multi-factor authentication. The security expert presented real-time examples of how cyber actors could use man-in-the-middle attacks and session hijacking to intercept the traffic between a user and a website to conduct these attacks and maintain access for as long as possible. He also demonstrated social engineering attacks, including phishing schemes or fraudulent text messages purporting to be a bank or other service to cause a user to log into a fake website and give up their private information.
- At the June 2019 Hack-in-the-Box conference in Amsterdam, cyber security experts demonstrated a pair of tools – Muraena and NecroBrowser – which worked in tandem to automate a phishing scheme against users of multi-factor authentication. The Muraena tool intercepts traffic between a user and a target website where they are requested to enter login credentials and a token code as usual. Once authenticated, NecroBrowser stores the data for the victims of this attack and hijacks the session cookie, allowing cyber actors to log into these private accounts, take them over, and change user passwords and recovery e-mail addresses while maintaining access as long as possible.
MFA is still effective
The FBI made it very clear that its alert should be taken only as a precaution, and not an attack on the efficiency of MFA, which the agency still recommends. The FBI still recommends that companies use MFA.