FacebookTwitterLinkedIn

FBI warns of Attacks Bypassing Multi-Factor Authentication

Karolis Liucveikis Written by on

In a warning issued by the Federal Bureau of Investigation’s (FBI) cyber division private industries have been warned about attack able to bypass multi-factor authentication (MFA). According to the law enforcement agency, this is done through a combination of social engineering and SIM Swapping tools elaborated upon at a developer conference in June 2019. The warning specifically warns private industries and individuals about attacks using SIM swapping, vulnerabilities in online pages handling MFA operations, and the use of transparent proxies like Muraen and NecroBrowser. These tools when used in conjunction correctly can bypass soft forms of MFA, with the first being able to intercept login credentials and the later storing the data and hijacking the session cookie to log into now compromised accounts.

Within the report the FBI went on to list a number of examples witnessed by law enforcement of attacks effectively bypassing MFA. The first listed occurred in 2016 when customers of a US banking institution were targeted by a hacker who ported phone numbers to a phone he owned, in other words, a traditional SIM swap attack. The FBI further elaborated that,

“The attacker called the phone companies' customer service representatives, finding some who were more willing to provide him information to complete the SIM swap. Once the attacker had control over the customers' phone numbers, he called the bank to request a wire transfer from the victims' accounts to another account he owned. The bank, recognizing the phone number as belonging to the customer, did not ask for full security questions but requested a one-time code sent to the phone number from which he was calling. He also requested to change PINs and passwords and was able to attach victims' credit card numbers to a mobile payment application.”

During the course of 2018 and 2019, the cyber division received numerous complaints from victims of attacks were it appeared that MFA was bypassed, often resulting in bank accounts been compromised and funds fraudulently transferred. In one instance a hacker logged into a targeted institution's banking portal with stolen victim credentials and, when reaching the secondary page where the customer would normally need to enter a PIN and answer a security question, the attacker entered a manipulated string into the Web URL.

fbi warns attacks bypassing multifactor authentifications

This bit of code changed settings to the extent that the hacker’s computer was treated as one recognized on the account. This allowed him to bypass the PIN and security question pages and initiate wire transfers from the victims' accounts.

The warning lists several other examples that make for interesting, and worrying reading, and a read of the warning is advised. Of particular interest are developments since the developer conference in Amsterdam regarding the SIM swapping tools listed above, to which the FBI noted,

“At the June 2019 Hack-in-the-Box conference in Amsterdam, cyber security experts demonstrated a pair of tools - Muraena and NecroBrowser - which worked in tandem to automate a phishing scheme against users of multi-factor authentication. The Muraena tool intercepts traffic between a user and a target website where they are requested to enter login credentials and a token code as usual. Once authenticated, NecroBrowser stores the data for the victims of this attack and hijacks the session cookie, allowing cyber actors to log into these private accounts, take them over, and change user passwords and recovery e-mail addresses while maintaining access as long as possible.”

MFA Still a Vital Security Measure

While the ability of certain threat actors to bypass MFA is worrying, instances are rare and the FBI went to great pains to reiterate that enabling MFA is still important. MFA, which can be broadly defined as any online security measure that requires more than one form of authentication such as a password and PIN, should be enabled wherever possible. Recent articles published by both Google and Microsoft illustrate how rare these attacks are despite the increase. Microsoft reported that MFA compromise attacks amount to 0.1% of the attacks affecting the general population. In Google’s article, they shared a very similar sentiment but went further, regarding the effectiveness and importance of MFA, to state,

“Our research shows that simply adding a recovery phone number to your Google Account can block up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks that occurred during our investigation,”

In summary, it is safe to say that enabling MFA wherever possible is still strongly advised. The rarity of these attacks as well as in the case of attackers using tools similar to Muraena and NecroBrowser still involves a lot of technical knowledge to pull off. When you compare the amount of attacks MFA effectively prevents versus the amount of MFA bypass attacks it would be silly thinking MFA to be completely compromised. For instance, if the MFA enabled a biometric authentication as well hackers will find it near impossible to bypass such a requirement.

To defend against such attacks measures can indeed be taken and the FBI advises that along with making employees and administrators aware of such attacks corporations can further:

  • Educate users and administrators to identify social engineering trickery. This includes how to recognize fake websites, not click on rogue links in the e-mail, or block those links entirely, and then teach them how to handle common social engineering tactics.
  • Consider using additional or more complex forms of multi-factor authentication for users and administrators such as biometrics or behavioral authentication methods, though this may add inconvenience to these users.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

New Removal Guides
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal

Top Removal Guides
Latest News
Blog