Phishing your way Past Multi-Factor Authentication
Posted on Jul 2017 by Charles Worrell
Let’s say an attacker gains access to a valid set of employee credentials. If you don’t have multi-factor authentication (MFA) in place, the attacker has hit the jackpot. They can quickly authenticate against any publicly available asset that accepts the compromised username and password.
But what if you do have MFA in place? You have a federated single-sign-on portal as the gatekeeper to your sensitive public assets, and it’s protected with MFA.
Your logins are safe from attackers, right?
Your logins are safe from attackers using compromised credentials. However, an attacker can still phish through the MFA process and gain access to your protected resources. Let’s take a look:
What… Just Happened?
That’s an example of real-time phishing. Just like in a standard phishing attack, the attacker convinced the victim to visit a fake login portal. By also collecting the user’s MFA token and submitting it to the real login portal in near real time the attacker successfully authenticates with the MFA protected site. The victim is then redirected with a message stating their login attempt was unsuccessful.
This attack illustrates how most one-time password (OTP) systems are affected: SMS, voice, email, authenticator apps, etc.
This Type of Attack isn’t New
MFA solutions like this have long been flawed, and real-time phishing is currently used by attackers. Organizations should be aware and put controls in place to detect and/or prevent this type of attack.
Personally speaking, I expect to see an increase in the percentage of phishing attacks that perform automated real-time MFA phishing. In fact, the day I finished my own PoC tool, another researcher publicly released a tool that leverages this same idea of phishing MFA tokens.
How can you Prevent an Attack like this?
As mentioned earlier, this isn’t necessary a vulnerability in MFA, it’s just something that one-time passwords alone aren’t designed to protect against. The current best prevention method is to perform mutual authentication through strong crypto, and remove the user from the equation entirely.
Universal 2nd Factor (U2F) authentication has been created to serve as a stronger second factor of authentication. Many modern MFA solutions rely on the user to identify the service they are authenticating is legitimate. In the phishing scenario above, the attacker deliberately tries to deceive the victim into providing their MFA token to their controlled domain.
U2F removes the user from the equation. U2F uses a hardware token that, when activated, uses Public Key Cryptography (PKI) to perform strong authentication, proving the user and service are legitimate. Even if a user is phished, and the attacker gains their password, the attacker will lack the required hardware token required to authenticate.
What’s the Best Way to Detect this Attack?
Monitoring login events for suspicious activity and security analytics. Specifically:
- Geographic dispersion of authentication events – Using IP geolocation information will allow you to detect that an attacker is logging in from a very different location than the victim(s). Many enterprise users have multiple devices authenticated: phone for email, laptop, tablet, all located in the same place. An attacker’s login from a different location may be a detectable anomaly, compared to these “normal” logins for users.
- Multiple successful authentications for multiple users to a single new location – Let’s say an attacker compromises multiple victims. Depending on the attacker’s infrastructure, these logins may all be from the same new location. Unless all these employees are all visiting the same location and logging in for the first time, this event is something that likely warrants additional investigation.