This is what happened to me and my daughter, and 4 Ways Hackers Use Social Engineering to Bypass Your Security
Guys, if this article is above your head, I get it. Just try to understand that today’s state of security is far beyond scary. You have to be vigilant in your pursuit to secure your laptops and smartphones.
I am a former information security professional, and all those security exploits are nothing new to me, yet, I am shocked quite often after reading about the way our security stance could be taken over by the persistent hackers.
I know many folks have an excuse: there is nothing to secure on my laptop or smartphone. BIG MISTAKE!
As an example, this is what happened to me and my daughter.
Two days ago, I received a letter from Delta Dental (my dental insurance company) with a message that they had a security breach in June of 2023 (more than 7 months ago!). They found that my personal information was exposed including my Social Security number, phone number, e-mail address, home address, and even my health information (beyond the dental info).
You may say, “So, what? Big deal…”
Don’t hurry up.
About a year and a half ago, my daughter found that her personal information appeared on the dark web (the hackers’ hidden network), and her Social Security number was used to receive unemployment benefits. She has spent several months fighting with it and trying to solve the problem especially because at that time she was between jobs and needed money. She has contacted numerous government organizations just to learn that:
- Unemployment money is not all the problem she had;
- None of the government agencies solved the problem! They were useless with a lot of promises with no solution. Even more: they continued sending money to a hacker in Texas!
- She has contacted the attorney who has located the name of the hacker. Guess what? Social Security has sent more money to the same hacker!
- She had to lock up her credit agencies’ accounts to prevent the hacker from opening the bank loan.
- She had a problem filling out the tax return because she had received the 1099 Form that stated that SHE had received the unemployment money, not the hacker.
A few days ago, my wife’s friend asked for assistance with her laptop. Guess what was bad? Her email was breached 9 times (per MalwareBytes anti-malware company). The laptop was full of junk files, unrecognizable applications, etc.
I have recalled that my old Gmail email was hacked several times just about 6 months ago, too. Why? Only because my personal info was exposed by other companies that were breached. I had to transfer my important emails over from Gmail to another company that offered free e-mail addresses and I stopped using the old email for any bank account.
Are you beginning to understand how bad it is?
Now, let’s get back to the recommendations.
When it comes to access security, one recommendation stands out above the rest (and I hope you are already familiar with it): multi-factor authentication (MFA). With passwords alone being simple work for hackers, MFA provides an essential layer of protection against breaches. However, it's important to remember that MFA isn't foolproof. It can be bypassed, and it often is.
If a password is compromised, there are several options available to hackers looking to circumvent the added protection of MFA. Here, we explore four social engineering tactics hackers successfully use to breach MFA and emphasize the importance of having a strong password as part of a layered defense.
- Adversary-in-the-middle (AITM) attacks
AITM attacks involve deceiving users into believing they're logging into a genuine network, application, or website. But really, they're giving up their information to a fraudulent lookalike. This lets hackers intercept passwords and manipulate security measures, including MFA prompts. For instance, a spear-phishing email may arrive in an employee's inbox, posing as a trusted source. Clicking on the embedded link directs them to a counterfeit website where hackers collect their login credentials.
While MFA should ideally prevent these attacks by requiring an additional authentication factor, hackers can employ a technique known as '2FA pass-on.' Once the victim enters their credentials on the fake site, the attacker promptly enters the same details on the legitimate site. This triggers a legitimate MFA request, which the victim anticipates and readily approves, unwittingly granting the attacker complete access.
This is a common tactic for threat groups such as Storm-1167, who are known for crafting fake Microsoft authentication pages to harvest credentials. They also create a second phishing page that mimics the MFA step of the Microsoft login process, prompting the victim to put in their MFA code and grant the attackers access. From there, they gain access to a legitimate email account and can use it as a platform for a multi-stage phishing attack.
- MFA prompt bombing
This tactic takes advantage of the push notification feature in modern authentication apps. After compromising a password, attackers attempt to log in which sends an MFA prompt to the legitimate user's device. They rely on the user either mistaking it for a genuine prompt and accepting it or becoming frustrated with continuous prompts and accepting one to stop the notifications. This technique, known as MFA prompt bombing, poses a significant threat.
In a notable incident, hackers from the 0ktapus group compromised an Uber contractor's login credentials through SMS phishing, then continued with the authentication process from a machine they controlled and immediately requested a multi-factor authentication (MFA) code. They then impersonated an Uber security team member on Slack, convincing the contractor to accept the MFA push notification on their phone.
- Service desk attacks
Attackers deceive helpdesks into bypassing MFA by feigning password forgetfulness and gaining access through phone calls. If service desk agents fail to enforce proper verification procedures, they may unknowingly grant hackers an initial entry point into their organization's environment. A recent example was the MGM Resorts attack, where the Scattered Spider hacker group fraudulently contacted the service desk for a password reset, giving them a foothold to login and launch a ransomware attack.
- SIM swapping
Cybercriminals understand MFA often relies on cell phones as a means of authentication. They can exploit this with a technique called a 'SIM swap', where hackers deceive service providers into transferring a target's services to a SIM card under their control. They can then effectively take over the target's cell service and phone number, letting them intercept MFA prompts and gain unauthorized access to accounts.
After an incident in 2022, Microsoft published a report detailing the tactics employed by the threat group LAPSUS$. The report explained how LAPSUS$ dedicates extensive social engineering campaigns to gaining initial footholds in target organizations. One of their favored techniques is targeting users with SIM-swapping attacks, along with MFA prompt bombing, and resetting a target's credentials through help desk social engineering.
You can't fully rely on MFA – password security still matters
This wasn't an exclusive list of ways to bypass MFA. There are several other ways too, including compromising endpoints, exporting generated tokens, exploiting SSO, and finding unpatched technical deficiencies. It's clear that setting up MFA doesn't mean organizations or individuals can forget about securing passwords altogether.
Account compromise still often starts with weak or compromised passwords. Once an attacker obtains a valid password, they can then shift their focus towards bypassing the MFA mechanism. Even a strong password can't protect users if it's been compromised through a breach or password reuse.
If you like what you read, please share it with your friends online. The registration is free. See below.
Your Club Admin