Phishing cyberattacks and defence
AN estimated 80 per cent of data breaches or hacks are from internal staff or users clicking on a link or file attachment through email, messaging or even SMS! This is called phishing or (spear phishing if targeted at specific users like executives) and still remains the number one cyberattack vector or methodology by which cybercriminals or hackers get that initial break into your network or systems. From a great essay by Roger Grimes at KnowBe4, from which I have summarised the salient points, human societies have a bad habit of taking a specific, limited-inscope fact and turning it into an overly broad generalisation that gets incorrectly believed and perpetuated as if it were as comprehensively accurate as the original, more-limited fact it was based on.
Anything can be hacked! Do not confuse “phishing-resistant” with being impossible to phish or socially engineer.
According to all the latest cybersecurity advisories from the many cybersecurity watchdogs, everyone should implement phishing-resistant Multi-factor Authentication (MFA) where they can in order to protect valuable data and systems.
But it is important to know that phishing-resistant does not mean not phishable.
Everything is subject to social engineering and phishing. Even the strongest phishing-resistant MFA solutions can still be socially engineered around or hacked. Many people believed any MFA would prevent social engineering attacks, and just as many people are probably going to see the phrase, phishing-resistant, and unfairly think that it means un-phishable. In fact, I talk to MFA admins who tell me that all the time. I see vendors for phishing-resistant MFA touting their products as being utterly un-phishable!
It is not true. And they should stop saying it. It undermines the industry and will hurt clients who rely on those statements who still end up getting hacked because of that overreliance.
It should be enough to say that their products are phishingresistant and far less susceptible to some common forms of social engineering than other, more phishable products.
What has happened in the industry is that MFA products that significantly mitigate the most common type of social engineering attack against MFA, man-in-the-middle (MITM) attacks (called adversary-in-themiddle by some), have somehow been mistakenly labelled as unphishable.
Here are some real-world social engineering attacks which do not rely on MITM attacks:
Compromised endpoint
If an attacker can convince a victim to download malware, that malware can take control over their desktop or device, and no MFA solution can stop that malicious software from doing whatever it wants to do. It is game over! Since a large percentage of phishing emails, text messages and compromised websites try to trick users into downloading malware; it means this type of popular attack will work even against phishingresistant MFA. It involves social engineering and phishing, and it works against any MFA solution.
Compromised infrastructure
If an attacker can socially engineer a system administrator or an employee of any component in the path of the MFA authentication (e.g., server, database, etc.), they can compromise the MFA solution. The client victim did not do anything wrong, but someone in the pathway of the client and the server providing the authentication was socially engineered (they often are not running the same phishing-resistant MFA) and the result is the same, if not worse.
A great example of this sort of attack was the 2020 Twitter breach where a Twitter employee, likely protected by some form of MFA, was socially engineered. Once the attackers gained access to the employee’s admin credentials and tools, they took over dozens of other high-profile Twitter accounts, like those belonging to Bill Gates and Elon Musk. And even if any of those accounts were protected by really good, phishing-resistant MFA, those accounts would still be compromised.
Most popular MFA options have self-help portals to allow users to “recover” their accounts if their MFA solution stops working for some reason. Almost always, the method used to authenticate the user to initiate the recovery option is less secure than the MFA solution they were using. It is often simply a link sent to someone’s previously registered email address or a link or code sent to the user’s cell phone using SMS. All of those options are less secure than the MFA option being used and can be easily socially engineered.
One of the easiest hacks is when the recovery action involves a code sent via SMS. All the attacker has to do is pose as someone from the vendor (i.e., tech support) calling or texting you saying that some event is happening that requires that they send you a code that you then repeat back to them. For example, your account is being hacked and they need to send a code to you to “confirm” you are the real account holder. Then they put your account in recovery mode, the vendor sends you an SMS code, which you are tricked into sharing with the attacker. The attacker is told the recovery code by the victim and uses it to recover the account. The hacker then takes over the account and changes the user’s authentication and personal information. This happens thousands of times a day.
Many sites protected by MFA allow users to call in to recover their accounts. An attacker, using information they have previously socially engineered from the victim (like login name and password or PIN), can call the vendor’s technical support number and start a fraudulent account recovery. This is a very common social engineering attack method.
Fake successful login
This type of attack is not common, but it is a valid type of attack and has happened in the real world. It is very difficult to impossible to prevent. In this attack, the hacker socially engineers the victim into going to a fraudulent URL with a lookalike website. The victim thinks they are on the real website. The attack then prompts the user to log in.
The user thinks they have successfully logged into a real website and now relaxes and begins doing what they would normally do on the real website. But instead of showing the user the entire real website, which would be a lot of work, the attacker just asks the user for their credit card or other personal identification information (e.g., “We need to re-verify your credit card to ensure it is valid”, etc.), which the user responds to. Then the fake website creates a fake error message and drops the user to the login screen of the real website. The user is none the wiser. They log into the real website and think everything is hunky dory.
Send me your MFA
An attacker could pretend to be technical support and ask you to send them your MFA solution along with your PIN. Maybe they claim that the MFA was compromised. Either way, the user is tricked into sending the MFA solution to the attacker along with whatever knowledge information is normally needed, and the attacker uses the sent information and device to take over the MFA logins as the user.
Receive new MFA
Alternately, an attacker pretending to be tech support can send you a new, but previously compromised device, and tell you it is important that you use the new device because the old one is no longer good.
I could go on and on with tons of additional, creative social engineering attacks, but you get the idea. And I did not even include all of the phishing attacks around SMS-based and push-based MFA that are going around these days. If I included those MFA solution types, I could easily make up another one to two dozen different social engineering and phishing attacks. None of those would involve MITM attacks.
Your MFA should be phishingresistant, but no MFA solution is entirely resistant to all social engineering and phishing attacks. Most MFA solutions … even the ones you have been told are phishing-resistant, would fall victim to most of the attacks listed above.
But perfect security is not the point. Anything can be hacked. Anyone can be socially engineered. The key is to pick an MFA solution that is somewhat phishing-resistant to the most common types of attacks, of which MITM attacks are one. And it is a big, popular one.
Just make sure you do not say or think that any particular MFA solution cannot be phished. Because it is not true!
Defences
If all MFA solutions can be hacked and socially engineered, what are you supposed to do?
Well, start by educating yourself and your staff or users on the fact that any MFA solution can be hacked and socially engineered, and there is no unhackable, un-phishable MFA solution.
Second, whenever you have a chance (you often do not have authority to decide what to use) to pick or use an MFA solution, try to pick a phishing-resistant MFA solution.
Last, no matter what MFA solution(s) you use or support, educate everyone involved about what the particular type of MFA solution does and does not prevent. Teach about the common types of attacks against that type of authentication, how to recognise them, how to mitigate them and the appropriate way to report them so they can be further addressed and mitigated.
A little education goes a long way.
As James Scott, senior fellow for the Institute for Critical Infrastructure notes: “A single spear-phishing email carrying a slightly altered malware can bypass multi-million dollar enterprise security solutions if an adversary deceives a cyberhygienically, apathetic employee, into opening the attachment or clicking a malicious link and thereby compromising the entire network.” God bless and stay safe in both digital and physical worlds this weekend.
■