loader gif

Attackers Using Social Engineering to Bypass Multi-factor Authentication, the FBI Warns

Attackers Using Social Engineering to Bypass Multi-factor Authentication, the FBI Warns
  • The FBI said that attackers are using social engineering and technical attacks to bypass multifactor authentication.
  • The purpose of this notification is to help system administrators of organizations and MFA solutions to protect their networks against cyber attacks.

What is the issue?

The US Federal Bureau of Investigation (FBI) has issued a security advisory to private industry partners about the increasing threat of attacks against organizations and their employees that can bypass multi-factor authentication (MFA) solutions.

The big picture

The FBI wrote in a Private Industry Notification (PIN) sent out to industry partners that attackers are using social engineering and technical attacks to bypass multifactor authentication.

  • The purpose of this notification is to help system administrators of organizations and MFA solutions to protect their networks against cyber attacks.
  • The notification also specifically warned about SIM swapping, vulnerabilities in online pages handling MFA operations, and the use of tools such as Muraen and NecroBrowser.

The agency noted that this notification should be taken only as a precaution and that the FBI still recommends companies to use multi-factor authentication.

“Multi-factor authentication continues to be a strong and effective security measure to protect online accounts, as long as users take precautions to ensure they do not fall victim to these attacks,” the FBI said, ZDNet reported.

Some of the prominent MFA bypass attacks

The PIN notification also highlighted some of the prominent MFA bypass attacks, which include:

  • In 2016, an attacker targeted the customers of a US banking institution via a SIM swapping attack. The attacker called the phone companies' customer service representatives and obtained the required details to complete the SIM swap. Once the attacker obtained the customers' phone numbers, he then called the US bank to request a wire transfer from the victims' accounts to the account he owned.
  • At the June 2019 Hack-in-the-Box conference in Amsterdam, cybersecurity experts demonstrated a pair of tools, namely the Muraena and NecroBrowser which is designed to automate a phishing scheme against users of multi-factor authentication. The Muraena tool intercepts traffic between a user and a target login website. Once users enter the credentials in the login website, NecroBrowser saves users' credentials and hijacks the session cookie. This allows attackers to gain access to users’ private accounts.
loader gif