AI benefits/risks, Phishing

Gone phishing: Hackers leverage automation to launch MFA attacks and SEO poisoning

MFA attacks and SEO poisoning

Phishing schemes have been a persistent threat since email became a prominent form of communication in the mid-1990s. In recent years, new technology has significantly advanced traditional phishing tactics, allowing for an evolution in the type of scams that hackers are unleashing via email and beyond. With deepfakes, ChatGPT, and other emerging technologies, the telltale signs that an email, SMS text message, or other form of communication was likely from a cybercriminal have become more difficult to spot.

Threat actors want access to the highest reward possible for the lowest cost. As technological advancements have more quickly and efficiently disrupted the more basic get-rich-quick schemes, hackers have had to become even more creative with their tactics. Here’s where new tools can better mask the signs that pointed to an email being a phishing scheme — like spelling errors or a phony email address — making it harder to distinguish real from fake. To put it all into perspective, in the first half of 2023, there was a  68% increase in phishing takedowns compared to the first half of 2022.

With new tools in place, there’s now an abundance of new methods by which cybercriminals can exploit users — but at least two stand out as concerning this year: MFA attacks and SEO poisoning.

MFA-fatigue proves successful for hackers

Multi-factor authentication (MFA) has long been a crucial element of business security and has become widely required by the majority of companies as they try to make it more difficult for adversaries to gain access to and take over accounts. That said, cybercriminals are leveraging new methods to undermine MFA into their phishing attacks by intercepting or getting around generated codes.

We’ve seen cybercriminals turn to real-time MFA-bypassing solutions, like “in-the-middle” techniques, MFA fatigue, and OAuth consent phishing. In fact, these types of “in-the-middle” techniques are some of the most frequently-observed methods used to gain access to MFA-secured networks in 2023. Typically, MFA-bypassing techniques consist of threat actors attempting “session hijacking,” the stealing/selling of cookies and authentication tokens-session fixation, or session cloning. It’s especially concerning as we’re seeing a significant increase in hackers incorporating MFA-bypassing techniques in phishing operations, allowing them to seize control of session permissions and parameters — which offers more opportunities for access to unauthenticated sessions.

What once felt like a foolproof safety precaution has proven exploitable, with recent breaches like Retool's development platform where hackers used a combination of social engineering and phishing via text messages to convince victims to share an MFA code. By preying on the overwhelming number of notifications that employees receive on a daily basis, it’s easy to understand how a user may hit “approve” without thinking. Once the users permit the cybercriminal to either redeem a code or grant them access, those hackers have a front-row seat to privileged information.

On the rise: SEO poisoning via brand impersonation

Search engine optimization (SEO) poisoning attacks, which are associated with the impersonation of brand names, are also on the rise this year. SEO poisoning functions as a type of malicious advertisement in which threat actors manipulate open-source search engine algorithms that are designed to return prioritized results to the user. This alters search engines so that the first advertised link actually leads to an attacker-controlled site, which then allows the hacker to facilitate malware, data theft, further phishing attacks, or fraudulent activity.

In 2023, we observed two prominent methods of SEO poisoning: SEO cloaking and keyword stuffing. In SEO cloaking, hackers manipulate the normal search engine web crawlers to reveal different results than what the normal search would produce. They can do this by filtering IP addresses or IP cloaking services. With keyword stuffing, the hackers add additional words into a webpage’s text, HTML code or metadata to rank higher in the search results. This technique is easier to identify, as most algorithms can catch it with their detection capabilities; but it’s harder to detect in smaller pools of results where there’s less competition in rankings.

As SEO poisoning continues to increase across the threat landscape, domain monitoring detection tools for typosquatting and other impersonations are critical for security teams to address these types of phishing attacks.

IT and security team members know that the sheer volume of phishing attacks and their various vectors has become daunting to manage — but there are a few steps we can take to help mitigate the risks. By developing clear cybersecurity policies, incident response plans, and ensuring maximum cyber hygiene with user training, security teams can drastically reduce the chances of a phishing attack. Additionally, implementing phishing-resistant MFA protocols and being more stringent with access privileges ensure that entrance to company systems are more secure. 

Mike Price, chief technology officer, ZeroFox

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.