Phishing attacks devised to steal user log-on credentials are still very popular. According to the Anti-Phishing Working Group, in 1Q 2022, almost 59% of all email phishing attacks involved attempted credential theft, and the threat keeps growing. Because of this threat, a growing computer security recommendation (or requirement) has been for admins and users to implement and use multifactor authentication (MFA) instead of traditional log-on names and passwords.
Although far more log-ons still involve passwords, a growing percentage of organizations and users are using MFA to log-on at work or for other accounts. Today, the typical user has one or more MFA solutions, different ones for different sites and services, plus they still use passwords.
Many computer security organizations and vendors are trying hard to replace the remaining password instances with passwordless and MFA solutions. Apple, Google, and Microsoft have launched campaigns to get users to adopt passwordless or MFA. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also launched a global campaign to get more companies and people to move to MFA.
However, requiring MFA will not stop hackers from accessing our systems. There are many ways for attackers to attack and bypass MFA just like they did with systems protected by passwords. For each method a defender enables to stop an attacker, the attacker figures out a way to bypass a defense in a MFA-protected world.
Common MFA bypass trick
For example, a very common attacker ploy to hack MFA is to trick the user into typing their MFA-provided credentials (often known as one-time-passwords) into a fake web site, which are then captured and re-used by the attacker to log-on to the victim’s real web site. In this scenario, the potential victim somehow gets directed to a rogue web site, often through a phishing email. The user opens and interacts with the email thinking it’s a legitimate request from the real vendor, but really it contains a malicious link that takes the user to a bogus log-on session. The bogus log-on session can prompt the user for their MFA credentials just as easily as they could have prompted the user for their password in the past, and once captured, the attacker can use it to log-on to the victim’s web site or service.
Attackers manipulate noVNC to bypass MFA
In one example, a research article highlighted a browser-in-the-middle (BitM) attack tactic that used phishing and remote browser access via the popular noVNC/VNC program combination to bypass MFA. VNC, or Virtual Network Computing, has become a very popular, open source, remote control software program (similar to Microsoft’s Remote Desktop Protocol) that lets users remotely control a computer device. The newer BitM technique uses noVNC, a popular VNC server program, that can run in modern desktop and mobile browsers.
Attackers can set up a noVNC server on their computer and then open the log-on page of a targeted website or service on their browser. The browser must run in kiosk mode, so that the telltale signs of a browser running are hidden from the connecting user. The attacker can then send a phishing email with the VNC session link to the rogue web page disguised as the actual log-on page.
If the victim clicks on the link, it will redirect the user’s browser to the attacker’s browser hosting the noVNC server program. Since the attacker’s browser runs in kiosk mode, the victim can only see the log-on webpage and not the taskbar, which can give away that they are using another browser from within their browser.
If successfully tricked, the victim would authenticate himself on the attacker’s browser, where the attacker has full control of the legitimate log-on and log-on information. After the victim successfully authenticates, the attackers can then terminate the user’s originating remote session and misuse the victim’s privileges on the legitimate authenticated website or service. And if the attacker wants, they can even use the captured credentials and register their rogue device as an authorized device, so the server doesn’t require MFA in the future. The possibilities are endless.
Phishing-resistant MFA explained
Think of phishing-resistant MFA as MFA that’s more strongly immune to common social engineering attacks. Phishing-resistant MFA must not allow MitM or BitM proxy attacks easy success. MFA must stay resistant against stolen or brute-forced MFA credentials and prevent replay attacks.
The bad news: most of today's currently deployed MFA solutions are not phishing-resistant. However, businesses have many growing options for stronger phishing-resistant MFA, such as FIDO2 (Fast Identity Online) and Windows Hello for Business. Buyers and evaluators of MFA should ensure the MFA solutions they are thinking about using are phishing resistant and if what they are using today does not use phishing-resistant, look to moving to more resistant forms. Here’s a list of phishing-resistant MFA solutions.
Focus on employee education
No amount of authentication complexity or MFA solutions can better defend a company’s assets than human intelligence. Make employee security awareness training a big part of the company’s overall cybersecurity strategy. No matter how robust security defenses are, users are always only a single click away from getting breached. Security awareness training can help employees avoid that single click that takes them to a rogue site or service.
Educate all MFA stakeholders about their MFA solution, teach what the solution does and doesn’t protect against, and how to recognize and prevent common social engineering attacks against their form of MFA. Ongoing training and phishing simulations ensure that employees have first-hand experience of the latest phishing techniques and practical implementation of the security best practices everyone keeps talking about. This way, even if cybercriminals compromise advanced MFA at some point, the security team has empowered employees enough to thwart the phishing attacks, which are likely the first step of many credential theft attempts.
Stu Sjouwerman, founder and CEO, KnowBe4
