WatchGuard Blog

MFA phishing: the cyberattack that is compromising big company networks

Cybercriminals are well versed in the tactic of phishing, which aim to trick users into revealing confidential information and gain unauthorized access to user accounts and compromise corporate networks. A new type of phishing attack has now emerged, known as MFA phishing, which manages to evade the key protection measures deployed by corporate networks.  

The SANS 2022 Managing Human Risk report highlights the simple fact that the last line of defense against cyberattacks is people. One of the main findings of the study points out that human risk management will be fundamental to cybersecurity in the future, especially when it comes to threats launched to access corporate networks. This growing trend flags the critical need to implement a phishing-resistant MFA (multi-factor authentication) solution.  

In September last year, Uber was hit by a cyberattack on its systems after a malicious actor successfully compromised the account of one the company’s contractors. After investigating the incident, the company concluded that the cybercriminal probably purchased the target's corporate password on the dark web after the victim’s personal device was infected with malware and their credentials were exposed. This slip up was exploited by the hacker, who initiated an MFA phishing attack, after MFA fatigue led to the user accepting one of the bogus requests, resulting in a successful login.  

This case exemplifies the biggest vulnerability in cybersecurity: people. There’s no getting away from the fact that security solutions often require human interaction and people do fall victim to scams such as social engineering or phishing. 

How does MFA phishing work? 

In an MFA phishing attack, a cybercriminal attempts to trick users into revealing the confidential information they use for authentication purpose or into intervening in the fraudulent approval of the login request produced by their MFA solution. A successful MFA phishing attack obtains a target's credentials as the first step. Credential theft can occur through several means, including a combination of the following: 

  • Phishing attacks: Cybercriminals often employ the use of fake (although they look genuine) emails and websites to obtain sensitive information from unsuspecting victims. The attacker can then use this information to steal login credentials. 
  • Automated attacks: Using malicious software to access a user's credentials without their knowledge. A new two-prong tactic that is proving successful and is influencing the growing demand for infostealers on the dark web entails deploying malware to obtain a user's credentials, followed up by an MFA fatigue attack to gain access to corporate networks.  
  • Brute-force attacks: in brute-force attacks, cybercriminals use automated programs that can systematically guess passwords, usernames, and other credentials that provide access to different accounts. Credential stuffing is a brute-force attack where username and password pairs obtained from a data breach on another site are then tested. 
  • Social engineering:Threat actors seek to gain users’ trust through social engineering in order to manipulate them and obtain their credentials.  

Once the attacker obtains their target's credentials by deploying these tactics, they can use similar methods to carry out MFA phishing. SMS or email phishing is used to try to trick targets into revealing the MFA authentication code sent via these channels. Similarly, malicious actors may use a spoofing attack, where they pose as a trustworthy person, such as a legitimate employee of a company, who asks the user to reveal their login information, along with their MFA code.  

This type of attack tends to be most effective for MFA solutions that use one-time codes, but it can be more difficult to get the user to approve a request from the app on their mobile device. This is why MFA fatigue is becoming popular, as in the case of attacks on large corporate networks of companies like Uber or Cisco.  

Using this tactic, cybercriminals can send multiple push (pop-up) notifications to their target's mobile device. Overwhelmed by the number of MFA authentication requests they receive, users may start ignoring them, disable this security solution or even inadvertently grant access, thereby falling victim to an MFA phishing attack.  

Companies need a phishing-resistant MFA solution 

As this new type of attack is now escalating, companies need a solution that protects against MFA fatigue. Deploying a tool that allows users to take action if they receive unexpected push notifications reduces the possibility of accidental approval of unauthorized access.  

For MSPs seeking to protect customers, adding a phishing-resistant MFA solution to their portfolio delivers a competitive advantage over other businesses of this type. 

However, adding this functionality to existing solutions must take into account end-user friction. If this friction is high, the end user may choose to avoid or ignore security, leaving corporate networks exposed to malicious actors. WatchGuard's AuthPoint has evolved to address new advanced threats and now allows users to disable push notifications thereby reducing MFA fatigue. So, simply and without incorporating additional verification factors, if a user denies the first authentication request, the new feature offers to disable the request feature completely, which prevents users from accidentally granting access to the corporate network. Combining this functionality with others, such as policy restrictions, enhances security, which prevents unauthorized access.  

MFA phishing is an example of how cybercriminals are still finding new ways to reach their targets. Today, the only way to prevent these attacks, from a technology standpoint, is to implement a phishing-resistant MFA solution that decreases the likelihood of being affected by human error and prevents cybercriminals from accessing corporate networks.  

If you want to learn more about MFA and how this technology helps secure corporate networks, visit the following articles in our blog: