How can criminals bypass multi-factor authentication (MFA)?

Several types of attacks allow malicious actors to bypass multi-factor authentication and take control of corporate and personal accounts

In recent years, software-as-a-service (SaaS) companies have tightened security by allowing users to access an account on a platform, application, or cloud service. How? By implementing multi-factor authentication, popularly known by its acronym, MFA. This mechanism requires users not only to enter a password to access an account but also to use another authentication factor: a code received by SMS or call a token, validate access via a mobile authentication application, etc.

The aim is to check that the person wishing to access an account is indeed who he claims to be, not a malicious actor who has stolen his password.

1. Targets and objectives of criminals

As always in the field of cybersecurity, criminals have been developing tactics, techniques and procedures to bypas multi-factor authentication and gain access to user accounts for all kinds of services:

• Banking institutions.
• Retail companies such as Amazon.
• Work environments such as Microsoft 365 or Google Workspace.
• Business software such as billing programs.
• Hotel booking platforms such as Booking.
• Social networks such as Instagram or LinkedIn.
• Streaming platforms such as Spotify or Netflix.
• Multiple Cloud applications.

What are the objectives of the criminals?

• To commit financial fraud.
• Access confidential information about companies and public figures.
• Deploy malware on corporate systems.
• Stealing intellectual property and all kinds of documents and communications in the corporate environment.
• Hijacking private data and even user accounts to extort money from their victims, e.g. micro-influencers.
• Hacking social network accounts to carry out other attacks.
• Carry out audiovisual frauds, selling access to legitimate platform accounts…
• Obtaining information to launch future attacks.

Below, we will break down some of these tactics and the measures that can be implemented by both software vendors and companies that contract third-party applications and programs to protect accounts.

2. Attack-in-the-middle: Stealing tokens and session cookies

A few weeks ago, the activity of Tycoon 2FA, a Phishing-as-a-Service platform offering attack packages that bypass multi-factor authentication and gain access to Microsoft 365 and Gmail user accounts, became public. The procedure designed and marketed by this criminal group combines the creation of phishing pages pretending to be login pages for legitimate applications and the use of reverse proxies hosted on these pages.

Malicious actors are able to trick their victims into entering their login credentials and then intercept the cookies or tokens generated to illegitimately access accounts by bypassing the security barrier.

This case is not anecdotal and is in addition to other kinds of attack-in-the-middle campaigns packaged by criminal groups such as Greatness, which also targeted Microsoft 365 accounts, or Robin Banks, focused on attacking accounts of banking entities such as Citibank or Wells Fargo.

3. Prompt bombardment or MFA fatigue

Another tactic criminals use to bypass multi-factor authentication is prompt bombing or MFA fatigue.

Malicious actors obtain a user’s username and password and enter them into an application’s legitimate login page through numerous attempts. Since that application has implemented multi-factor authentication, for each request, a message is sent to the legitimate user to validate access. Using this tactic, criminals are looking for the user to either authorize access by mistake, e.g., by clicking on a link, or out of fatigue, to stop receiving notifications.

Uber suffered the most famous attack of this type just over a year ago. The Lapsus$ group gained access to the company’s network thanks to the VPN credentials of one of the company’s providers. Once it got hold of those credentials, the group attempted to log into that provider’s Uber account multiple times. Since multi-factor authentication was enabled, a barrage of login approval requests was generated as a second factor. Still, the provider did not validate any of the requests.

Therefore, the criminals contacted him, posing as Uber technical support, to get him to validate the login request.

4. SIM swapping: When the offender receives the message

SIM swapping is one of the critical digital frauds of this era, mainly because criminals use this technique to commit banking scams. But what exactly does it involve?

Cybercriminals profile their victims to collect critical data such as ID numbers, phone numbers, addresses, emails and financial information (account numbers, credit cards, financial solvency, etc.).

Then, they contact their telephone operator, impersonating the victim’s identity and requesting a duplicate SIM card, arguing that they have lost it, have deteriorated, or need to change its size.

Once the duplicate has been obtained, they can fraudulently validate access to an account if the second authentication factor consists of sending an SMS or a call.

Although SIM swapping is mostly used to access victims’ online banking accounts, this malicious technique can also bypass multi-factor authentication for all kinds of applications and platforms.

5. Request password reset

Alongside SIM swapping, we should note another malicious technique for bypassing multi-factor authentication that seeks to manipulate professionals on the other end of the phone. In this case, criminals laboriously gather information about a company’s professionals by resorting to web searches, consulting corporate websites and, above all, social networks.

Once they have all the information they need to impersonate a worker, they contact the company’s technical services and inform them that they have forgotten the password to access their corporate account. Thanks to their data, they are able to avoid arousing suspicion, so the technician who answers the call gives them access.

This was precisely the technique used by the criminal group AlphV to break into the systems of MGM Resorts, which owns some of the most important casinos in the United States. Once inside, the hackers created fake accounts to avoid being locked out and deployed ransomware to hijack confidential information.

The company spent $10 million to contain the attack, and it is estimated that the incident, which took place in September 2023, caused an economic impact of $100 million because various operations and processes were paralyzed during it.

6. Kits for bypassing multi-factor authentication

Which actors can bypass multi-factor authentication? Only criminals with the knowledge, experience and resources to carry out sophisticated attacks? Unfortunately not. Currently, several Phishing-a-a-Service platforms offer their customers the possibility to carry out attacks, including techniques to bypass multi-factor authentication, as evidenced by cases such as Robin Banks, Tycoon 2FA or Greatness. And there is a multitude of open tools, such as evil, for this purpose.

So criminals who lack the training, time and money to design attacks capable of bypassing multi-factor authentication can carry them out by contracting the packages that criminal groups offer through the Dark Web, forums or applications such as Telegram.

This means that the number of potential attackers is growing exponentially, and more companies and citizens can fall victim to attacks that seek to access corporate accounts (enterprise SaaS) or personal accounts (streaming platforms).

Likewise, criminal groups that market this kind of kit to bypass multi-factor authentication and access application accounts obtain direct and constant economic gains that allow them to perfect their techniques, tactics and procedures and develop new attacks capable of overcoming the defensive measures put in place by cybersecurity teams.

7. The future is already here: Generative AI versus biometric authentication

When it comes to authenticating access to corporate accounts, the possibility of implementing biometric authentication—iris scanning, fingerprint, facial or voice recognition—has long been considered.

The assumption was that this authentication would make it much more difficult for unauthorized persons to access certain corporate assets. However, biometric authentication faces two significant obstacles:

• Data protection. Users’ having to give up highly personal data such as their face, voice or fingerprint may clash with an extremely protective regulatory framework for the protection of private data.
• The development of generative AI. Criminals already use systems based on large language models to design and implement attacks. For example, AI can be used to clone a person’s voice or perform image deepfakes. Considering that generative AIs are still evolving and their capabilities are expected to grow, the effectiveness of biometric authentication may be challenged.

8. How can illegitimate account access be prevented?

First, it is critical to note that multi-factor authentication remains a vital and effective security measure for securing account access. It forces cybercriminals to design and implement tactics to circumvent it.

Are some factors more advisable than others? More and more companies are choosing to require the use of mobile authentication applications because they are more secure and make it more difficult for criminals, as opposed to other mechanisms such as sending codes or links via SMS. This trend is coupled with using client digital certificates or FIDO2-based multi-factor authentication systems to prevent stolen 2FA keys from being used by cybercriminals.

With the expansion of Phishing-as-a-Service (PaaS) platforms that possibly bypass multi-factor authentication among their services, large service provider companies must implement more robust MFA systems to prevent malicious actors from successfully avoiding them.

8.1. Cybersecurity services to prevent incidents and minimize their impact

Advanced cybersecurity services are also available to software developers and companies that contract third-party tools to assess their ability to withstand attacks using TTPs to bypass and optimize multi-factor authentication.

• Web security audits to detect application vulnerabilities, prioritize them and mitigate them before they are exploited.
• Social engineering tests to analyze the level of maturity of a company’s professionals in the face of phishing attacks and to train and make them aware of them.
• Proactive Threat Hunting is used to anticipate cybercriminals, discover their TTPs, and optimize an organization’s detection capabilities.
• Red Team scenarios to realistically test how a company’s defensive capabilities respond to attacks focused on bypassing multi-factor authentication and gaining access to SaaS accounts.
• Incident response service. Suppose a malicious actor can gain access to a corporate account. In that case, it is vital to immediately identify the compromise scope, initiate response activities, expel the malicious actor quickly, and determine what information was exposed during the incident.

Ultimately, even if criminals develop tactics, techniques and procedures to bypass multi-factor authentication, this security mechanism is still useful in preventing unauthorized access to sensitive tools such as corporate email, billing software and systems.