On Tuesday, Microsoft detailed an ongoing large-scale phishing campaign that can hijack user accounts if they are protected with multi-factor authentication measures to prevent such takeovers. The threat actors behind the operation, which have targeted 10,000 organizations since September, have used their covert access to victims’ email accounts to trick employees into sending money to the hackers.
Multi-factor authentication — also known as two-factor authentication, MFA, or 2FA — is the gold standard for account security. It requires the account user to prove their identity in the form of something they possess or control (a physical security key, a fingerprint, or a face or retina scan) in addition to something they know (their password). As the growing use of MFA has hampered account takeover campaigns, attackers have found ways to fight back.
The adversary in the middle
Microsoft observed a campaign in which an attacker-controlled proxy site was inserted between the account users and the worker server they were attempting to log into. When the user entered a password into the proxy site, the proxy site sent it to the real server and then forwarded the real server’s response back to the user. After authentication was complete, the threat actor stole the session cookie that the legitimate website had sent, so the user doesn’t have to be re-authenticated on each new page visited. The campaign started with a phishing email with an HTML attachment that led to the proxy server.
“Our observation is that after the first time a compromised account was logged into the phishing website, the attacker used the stolen session cookie to authenticate to Outlook online (outlook.office.com),” according to members of the Microsoft 365 Defender research team and the Microsoft Threat Intelligence Center wrote in a blog entry. “In several cases, the cookies had an MFA claim, meaning the attacker used the session cookie to gain access on behalf of the compromised account, even if the organization had an MFA policy.”
In the days following the cookie theft, attackers accessed employee email accounts looking for messages they could use in business email compromise scams that tricked targets into transferring large sums of money into accounts that they believed belonged to employees or business partners. The attackers used these email threads and the hacked employee’s fake identity to convince the other party to make a payment.
To prevent the hacked employee from discovering the compromise, the attackers created inbox rules that automatically moved certain emails to an archive folder and marked them as read. Over the next few days, the attacker logged in regularly to check for new emails.
“Once the attacker ran multiple fraud attempts simultaneously from the same compromised mailbox,” the blog authors wrote. “Every time the attacker found a new fraud target, they would update the inbox rule they created to include the corporate domains of those new targets.”
It’s so easy to fall for scammers
The blog post shows how easy it can be for employees to fall for such scams. The sheer volume of email and the workload often make it difficult to tell if a message is authentic. Using MFA already signals that the user or organization is practicing good security hygiene. One of the few visually suspicious elements of the scam is the domain name used on the proxy site’s landing page. However, given the opacity of most organization-specific login pages, even the sketchy domain name is not a surefire sign.
Nothing in Microsoft’s narrative should suggest that providing MFA isn’t one of the most effective ways to prevent account takeovers. However, not all MFAs are created equal. One-time authentication codes, even when sent via SMS, are far better than nothing, but they endure through more exotic abuses of the SS7 protocol used to send text messages.
The most effective forms of MFA available are those that conform to industry-established standards
FIDO Alliance
. These types of MFA use a physical security key, which can come as a dongle from companies like Yubico or Feitian, or even as an Android or iOS device. Authentication can also be done through a fingerprint or retina scan, both of which never leave the end-user device to prevent the biometric data from being stolen. What all FIDO-compliant MFAs have in common is that they cannot be phished and use back-end systems that are resistant to these types of ongoing campaigns.
This article was previously published on Source link
