🟢 DISCOVER DETOX FOR MICROSOFT 365 COPILOT : 2 STEPS TO REDUCE DATA EXPOSURE! START YOUR RISK ASSESSMENT 👉

Security

10 October 2018

Phishing your MFA

MFA

I wrote in a recent blog that multi-factor authentication (MFA) is not a panacea to ensure security of your accounts.  It’s a useful tool – although many customers complain about the manageability and usability of such solutions – but more and more, MFA is being defeated. On the one hand, that’s just business as usual – ‘twas ever thus in the security arms race, since the first lock-and-key was invented 6000 years ago. On the other hand, MFA deployments give both users and security teams a sense of security which is increasingly false.

MFA solutions rely on a simple principle: after demanding username & password, they ask for an additional piece of information which, typically, cannot be compromised quite as easily as your standard credentials.  A code sent to your mobile is most common today, memorable words from which you only enter a few characters are popular, separate physical devices are used by many banks.  But they all suffer from the same shortcoming: once you’re challenged for the second factor, you enter it into the same interface, typically a web front end, in order to access the service you are logging into.

So to compromise your MFA, all I have to do is to hijack the communications between you and the service. Once I do this, the service will challenge you for your second factor, and you will merrily input it, feeling quite safe, while you’re actually going through my intermediary, allowing me straight into your email, or whatever it is you’re accessing, right alongside you.

And it turns out, it ain’t that hard to hijack that communications channel.  There are two common options today:

  • Offer you a malicious WiFi network, through which I can control all of your comms.
  • Offer you a malicious splash page for the service you are accessing, and thereby control your engagement with that service.

Would your users fall for a malicious WiFi? My guess is yes. How careful are even sophisticated users regards what network they log onto? If you see Starbucks_WiFi_1 in the coffee shop, do you think twice, or do you just assume it’s okay? Even if you are super careful, are your users? In one recent attack ‘a fake wireless access point had been operating near [an] event which intercepted requests’1. And it’s so incredibly simple to do – all you need is a router and a 4G connection. No targeting, just wait to see what you get.

A malicious splash page is also pretty straightforward. Our friends at Bing have made it surprisingly convenient for bad guys to buy an ad word which allows a false splash page to leap to the top of the rankings2 (to be fair, they are quick to take it down when they are notified, but that still leaves plenty of time to catch some unfortunate punters). 

However, it’s phishing that really excels here. Dodgy emails, dodgy adverts and dodgy websites all push you to apparently legitimate splash pages. Switched‑on users may check the URL, but with more sophisticated attacks, that’s impossible. Never mind that lowercase L and uppercase I are typically identical, the use of punycode3 allows attackers to encode URLs that look completely legitimate, but actually have Cyrillic (or other characters) encoded in Roman looking characters.

Amnesty International (yes the human rights folks) recently published research, showing exactly how this type of false splash page is used to compromise MFA, along with the phishing that leads you there3. Although, if you’ve been paying attention so far, it’s going to tell you more-or-less exactly what I just wrote.

So what next? Well, if you’ve been reading this blog, or anything else from IDECSI, over the past few months, you’ll know our view is that the key is monitoring and detection. You can put in place as many preventative mechanisms as you like, and don’t let me stop you deploying MFA, it does make it harder for hackers, but monitoring and detection is critical.

By understanding normal user behaviour, on a per user per application basis, we can identify when the bad guy gets in. Moreover, our Personal Security Guardian is designed to engage your users in this process – massively reducing the time to breach identification, minimising the cost of the breach, and significantly improving your users’ cyber awareness.

A few words about Ben Miller

Ben Miller is an experienced technologist and entrepreneur with a background in mathematics and software engineering. He is focused on bringing new technologies to market, which change conventional thinking. Within cyber security, we have long been used to complaining about users, and driving more work into the security team. Ben’s particular focus today is technologies which challenge this approach and instead make user empowerment a key part of the cyber discussion.

[1] https://www.mwrinfosecurity.com/assets/Whitepapers/Case-Study-Phishing-for-Credentials.pdf
[2] https://hotforsecurity.bitdefender.com/blog/search-for-chrome-on-bing-and-you-might-get-a-nasty-surprise-20501.html
[3] https://tools.ietf.org/html/rfc3492
[4] https://www.amnesty.org/en/latest/research/2018/12/when-best-practice-is-not-good-enough

Our articles

These articles may
interest you

Microsoft Copilot: 5 advice for data access secure
Microsoft 365
Security
Trends

Microsoft Copilot: 5 advice for data access secure

Lire l'article
Illustration of a dangerous share in Microsoft 365
Microsoft 365
Security

How to reduce the risk of shared data in Microsoft 365

Lire l'article
Access review
Security

M365 Collaboration Tools Access Review

Lire l'article
Classification with MIP
Microsoft 365
Security

Classify and protect sensitive data: focus on MIP

Lire l'article

Data protection, let's discuss your project?

 

Contact us
video background