As of February 5, popular online social forum Reddit joined the ever-growing list of companies impacted by multi-factor authentication (MFA) bypass attacks. In fact, there’s been an alarming number of successful MFA bypass attacks over the last year, most notably the high-profile cases of Coinbased, Twilio, Uber, and Okta (0ktapus).
Reddit’s chief technology officer Christopher Slowe said this particular phishing campaign saw a threat actor successfully obtain an employee’s credentials after using realistic prompts to guide the victim to a website that cloned Reddit’s intranet gateway behavior. In turn, the attacker could breach internal code, documents, dashboards, and business systems.
In its disclosure notice posted online, Reddit described the recent incident as a “sophisticated” and “highly-targeted” attack. While it most certainly was a targeted attack, these MFA bypass tactics are anything but sophisticated. Public perception often overestimates the complexity of using open source tool kits and tends to believe these techniques are highly advanced – they’re not. They’ve existed for years and they make breaches such as Reddit’s exceptionally easy for even the most rudimentary threat actors.
A paint by numbers exercise
Open source tool kits, such as evilginx2 and modlishka, make launching an attacker-in-the-middle (AITM) attack as simple as a paint by numbers exercise. By taking advantage of authentication techniques where credentials such as passwords, time-based one-time passwords, magic links, and mobile push notifications transit the network, threat actors use these toolkits to establish a reverse proxy, allowing them to grab credentials and then log-in as an authorized user. Social media also makes creating a plausible phishing lure to kick off these attacks simple, so bad actors are all but walking through an organization’s front door.
While in theory MFA should protect against this by requiring multiple different factors for authentication, in practice, it isn’t so simple. Often, these additional factors are just as vulnerable to phishing as passwords themselves. That’s why campaigns targeting these weak authentication methods have been recognized by the U.S. federal government as a persistent threat, and in response, has moved to compel federal agencies to deploy passwordless and phishing-resistant authentication techniques by the end of 2023. We expect other regulators to follow suit quickly.
Passwords and weak MFA are doorstops — not padlocks
The Reddit breach makes it evident that security teams need to have conversations about the distinction between good and bad MFA. If we want to eliminate the risk of a breach, or at least substantially increase the cost to the attacker, it’s critical to have foundationally secure authentication systems in place. Passwords and weak MFA can, at best, perform as a doorstop to rudimentary cybercriminals — at worst, allow adversaries to waltz right in with unsophisticated tactics.
To protect against modern threat actors, organizations will need strong padlocks and deadbolts to finally shut the front door and block a whole class of attack pathways. The industry needs to focus on modern passwordless and phishing-resistant MFA.
Throwing out the status quo
It’s no longer an option to have phishing-resistant multi-factor authentication, it’s a necessity.
We applaud Reddit for checking the boxes on quick disclosure and transparency, providing a clear timeline of events, response measures taken, and potential consequences. Unfortunately, like the MFA bypass attack that impacted their internal systems, threat actors can victimize Reddit and customers of other websites using attacker-in-the-middle tactics. And while it’s better to have 2FA than passwords alone, it’s now only marginally better. Website owners will need to quickly evaluate and implement stronger authentication to keep their user data safe and secure.
Social engineering and phishing scams have been bypassing 2FA for years, but given the rapid rise in successful attacks and the simplicity of pulling off phishing attacks, it’s not worth the investment in first generation MFA. Even widely used mobile push-based MFA is phishable and easily circumvented by hackers using “prompt bombing” — sending multiple authentication requests that wind up getting approved by the valid user suffering from “push fatigue.”
Modern authentication solutions are adopting the FIDO standard, which implements strong cryptographic passkeys. FIDO-based solutions are rapidly becoming the accepted method of establishing phishing-resistant authentication. Combined with built-in device biometrics, organizations can offer low-friction and much more secure authentication options for both their workforce and their end customers.
Consider this recent breach of Reddit’s internal systems a wake-up call. We also need to stop calling these incidents “sophisticated” and call out what they actually are: garden variety easy. At the end of the day, we should not just aim to put the right name on these attacks, but raise awareness so companies can implement modern authentication and stay better prepared to prevent them.
Jasson Casey, chief technology officer, Beyond Identity