It is becoming easier for criminals to bypass some forms of multi-factor authentication. Finally, there is a toolkit that helps with this online for little money.

Multi-factor authentication makes accounts much more secure, but it’s not the ultimate solution. After all, there is now a toolkit for cybercriminals on the dark web that can more or less bypass MFA. MFA stays watertight when hackers only have credentials. Without additional authentication, they cannot break in with this data alone. However, the toolkit helps attackers get the additional MFA authentication during the phishing process, even when working with an authenticator app like the Microsoft Authenticator.

According to Microsoft, the phishing kit is available in a basic version for just $300 and is already the engine behind more than a million malicious emails per day. The tool works by involving a legitimate website in the phishing process, although the start of an attack is still very classic.

Phishing site in the middle

A potential victim must first be persuaded to click on a link via an e-mail. This link takes you to a deceptive portal where hackers are ready to steal your credentials. However, the portal completely forwards the data you enter to the legitimate service, which is impersonated. If you get caught and enter your username and password, the hackers will enter them in turn on the legitimate website.

There is no known harm to this benign site. Since the username and password combination is correct, the website sends the victim a request for additional authentication. As a victim, you have no reason to be suspicious at this moment. This is mainly aimed at accounts with a so-called time-based one-time password (TOTP) are secured. This is a numeric code generated by an authenticator app and renewed very frequently (about every 30 seconds). You must enter the numerical code immediately after logging in. The unsuspecting victim then enters the TOTP into the phishing site, which in turn immediately forwards the code to the reputable portal.

There the login is now successful. The legitimate website therefore sends an authentication cookie to anyone who has logged in. Unfortunately, this is not the victim, but the hackers who were right in the middle of the registration process via their phishing portal. This allows them to gain access to an account without the victim necessarily knowing.

Limitations of MFA

The attack shows how powerful phishing can be and also highlights the limitations of MFA. MFA works perfectly to prevent attacks where hackers have obtained credentials, but it is unable to stop a real-time advanced attack where the victim is tricked into running and sharing MFA. Essentially, this attack is an advanced version of the criminal calling you and asking you to dictate the code from your bank’s tablet.

The defense remains the same: don’t just click on links in emails. If you keep an eye on the sender and URL, not much can go wrong. A handy alternative is not to use the link in an email to surf to a website that requires you to enter credentials. Invest the limited extra effort of typing the URL to the website yourself or navigating to the login portal via your favorites. This will prevent you from being redirected to a hacker’s website.

MFA remains very useful

We would like to point out that despite this limitation, MFA is extremely useful, including the less secure versions like SMS or TOTP. The majority of attacks are carried out using easily obtained passwords or authorization filling. In the latter case, attackers attempt to log in using credentials leaked from a previous hack of another service. This technique wouldn’t work if everyone chose a unique password for each service, but only a small minority do. All of these attacks are prevented by MFA.

MFA as a concept remains more or less watertight. Damage limitation occurs when a hacker convinces someone to share or authenticate MFA data at their request, as is the case in this attack.